Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wrong IP extracted from HTTP_X_FORWARDED_FOR when there is more than one #10342

Closed
mvillarl opened this Issue Jul 26, 2016 · 3 comments

Comments

Projects
None yet
3 participants
@mvillarl
Copy link

mvillarl commented Jul 26, 2016

When Piwik is set up to get the client IP from the proxy header (proxy_client_headers[] setting) and the header contains more than one IP address, the one Piwik uses is the last one; according to the protocol definition, it should be the first one.

See https://tools.ietf.org/html/rfc7239

How to reproduce:

  • Set up Piwik to take into account proxy headers:
    proxy_client_headers[] = HTTP_X_FORWARDED_FOR
  • Disable IP anonymizer
  • Access Piwik in a way that the HTTP_X_FORWARDED_FOR contains more than one IP - either from your network configuration or with a header injection tool
  • If HTTP_X_FORWARDED_FOR contains, for instance: 1.2.3.4, 5.6.7.8 -> Piwik assigns 5.6.7.8 as the client source IP.
@madpsy

This comment has been minimized.

Copy link

madpsy commented Aug 8, 2016

A workaround for this is to use a unique header. For example, if using HAProxy in front of Apache you can specify 'option forwardfor header X-Real-Originating-IP' in haproxy.conf and 'HTTP_X_REAL_ORIGINATING_IP' in piwik's config.

At least there is a lot less chance of something else using your custom header.

@mattab

This comment has been minimized.

Copy link
Member

mattab commented Aug 16, 2016

Thanks for the report! this pull request was created: #10404
could you test it and report whether this works for you?

@mvillarl

This comment has been minimized.

Copy link
Author

mvillarl commented Aug 19, 2016

Just installed it. I will have to wait a few hours for new traffic to come in, but it looks good! Thank you so much.

mattab added a commit that referenced this issue Sep 19, 2016

Extract the first IP from HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP and…
… HTTP_CF_CONNECTING_IP and HTTP_X_FORWARDED_HOST when there is more than one IP (#10404)

* Extract the first IP from HTTP_X_FORWARDED_FOR when there is more than one
Fixes #10342

* Fetch the first IP from a list of IPs

* Return the first non empty IP

@mattab mattab added this to the 3.0.0-b1 milestone Oct 2, 2016

@mattab mattab added Bug Major labels Oct 2, 2016

@mattab mattab closed this Oct 2, 2016

@mattab mattab removed the Major label Oct 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.