Piwik_Common::getIP() - filter for public IP or from trusted proxy #567
Currently, getIp() only returns a single client IP address, looking at HTTP_CLIENT_IP, HTTP_X_FORWARD_FOR (XFF), and REMOTE_ADDR (in that order).
It’s possible that getIp() returns a private IP address. We should make it configurable to return the first “public” IP address which can be geolocated, unless you want the current behavior (e.g., #1054 intranet subnet identification).
These are some private IP address ranges:
Another consideration is XFF spoofing (increasing popular with various browser addons). Perhaps we should log both the result from getIp() and REMOTE_ADDR?
(Above two scenarios may or may not involve a reverse proxy.)
Another consideration is #1553 … the IP address from PiwikTracker should override any logic here.
The text was updated successfully, but these errors were encountered: