Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Filtering multiple proxy server IPs #2055

Closed
robocoder opened this Issue · 6 comments

1 participant

Anthon Pang
Anthon Pang
Collaborator

The current implementation relies on user to configure the set of trusted proxy_host_headers and proxy_client_headers, and takes the last IP in a list.

Where there are multiple proxy server IPs, these IPs should be skipped, if any appear in the header.

Note: this isn't a typical use case, but is a feature that I've seen elsewhere (eg Drupal).

Anthon Pang
Collaborator

Should support CIDR notation (previously suggested for SitesManager in #1775).

For example, CloudFlare's IP range is:

  • 204.93.240.0/24
  • 204.93.177.0/24
  • 199.27.128.0/21
  • 173.245.48.0/20 Expressing the last one using wildcards is very tedious, e.g., 173.245.48., 173.245.49., 173.245.50., 173.245.51. ... etc ... 173.245.63.*
Anthon Pang
Collaborator

This ticket will also handle the use case described in #2077 of filtering out private and reserved IP addresses, e.g.,

  • 10.0.0.0/8 (private)
  • 172.16.0.0/12 (private)
  • 192.168.0.0/16 (private)
  • 169.254.0.0/16 (auto-configuration)
  • 127.0.0.0/8 (loopback)
  • 224.0.0.0 - 239.255.255.255 (multicast)
Anthon Pang
Collaborator

(In [4533]) fixes #1111 - add support for IPv6 addresses (tracking, anonymization, and exclusion)
fixes #2095 - add new anonymization hook (pre-heuristics)
fixes #2055 - optional IP filter when multiple proxies present
fixes #1775 - SitesManager: supports CIDR notation for IP exclusion

Notes:

  • Installer no longer checks for IPv6, so the related messages should be deleted from translations
  • IPv4 mapped addresses (e.g., ::ffff:127.0.0.1) are no longer re-mapped into IPv4 space
  • users who to query IP addresses from MySQL directly, can use the following SQL, but inet_ntoa() is limited to IPv4 addresses:
select inet_ntoa(conv(hex(location_ip), 16, 10)) from piwik_log_visit;
  • Windows: IPv6 inet_pton()/inet_ntop() not supported until php 5.3; see #2351
Anthon Pang
Collaborator

The filter fails on IPv6 addresses because the IPv6 address in HTTP-X-Forwarded-Host is in square brackets.

The filter also fails on domain names because the filter assumes the list only contains IP addresses. (Regression)

Anthon Pang
Collaborator

(In [4539]) refs #2055 - add unit tests

Anthon Pang
Collaborator

(In [4540]) fixes #2055

Anthon Pang robocoder added this to the 1.4 - Piwik 1.4 milestone
Anthon Pang robocoder self-assigned this
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.