Filtering multiple proxy server IPs #2055

Closed
robocoder opened this Issue Feb 2, 2011 · 6 comments

1 participant

@robocoder

The current implementation relies on user to configure the set of trusted proxy_host_headers and proxy_client_headers, and takes the last IP in a list.

Where there are multiple proxy server IPs, these IPs should be skipped, if any appear in the header.

Note: this isn't a typical use case, but is a feature that I've seen elsewhere (eg Drupal).

@robocoder

Should support CIDR notation (previously suggested for SitesManager in #1775).

For example, CloudFlare's IP range is:

  • 204.93.240.0/24
  • 204.93.177.0/24
  • 199.27.128.0/21
  • 173.245.48.0/20 Expressing the last one using wildcards is very tedious, e.g., 173.245.48., 173.245.49., 173.245.50., 173.245.51. ... etc ... 173.245.63.*
@robocoder

This ticket will also handle the use case described in #2077 of filtering out private and reserved IP addresses, e.g.,

  • 10.0.0.0/8 (private)
  • 172.16.0.0/12 (private)
  • 192.168.0.0/16 (private)
  • 169.254.0.0/16 (auto-configuration)
  • 127.0.0.0/8 (loopback)
  • 224.0.0.0 - 239.255.255.255 (multicast)
@robocoder

(In [4533]) fixes #1111 - add support for IPv6 addresses (tracking, anonymization, and exclusion)
fixes #2095 - add new anonymization hook (pre-heuristics)
fixes #2055 - optional IP filter when multiple proxies present
fixes #1775 - SitesManager: supports CIDR notation for IP exclusion

Notes:

  • Installer no longer checks for IPv6, so the related messages should be deleted from translations
  • IPv4 mapped addresses (e.g., ::ffff:127.0.0.1) are no longer re-mapped into IPv4 space
  • users who to query IP addresses from MySQL directly, can use the following SQL, but inet_ntoa() is limited to IPv4 addresses:
select inet_ntoa(conv(hex(location_ip), 16, 10)) from piwik_log_visit;
  • Windows: IPv6 inet_pton()/inet_ntop() not supported until php 5.3; see #2351
@robocoder

The filter fails on IPv6 addresses because the IPv6 address in HTTP-X-Forwarded-Host is in square brackets.

The filter also fails on domain names because the filter assumes the list only contains IP addresses. (Regression)

@robocoder

(In [4539]) refs #2055 - add unit tests

@robocoder

(In [4540]) fixes #2055

@robocoder robocoder added this to the 1.4 - Piwik 1.4 milestone Jul 8, 2014
@robocoder robocoder self-assigned this Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment