Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Filtering multiple proxy server IPs #2055

Closed
robocoder opened this Issue · 6 comments

1 participant

@robocoder
Collaborator

The current implementation relies on user to configure the set of trusted proxy_host_headers and proxy_client_headers, and takes the last IP in a list.

Where there are multiple proxy server IPs, these IPs should be skipped, if any appear in the header.

Note: this isn't a typical use case, but is a feature that I've seen elsewhere (eg Drupal).

@robocoder
Collaborator

Should support CIDR notation (previously suggested for SitesManager in #1775).

For example, CloudFlare's IP range is:

  • 204.93.240.0/24
  • 204.93.177.0/24
  • 199.27.128.0/21
  • 173.245.48.0/20 Expressing the last one using wildcards is very tedious, e.g., 173.245.48., 173.245.49., 173.245.50., 173.245.51. ... etc ... 173.245.63.*
@robocoder
Collaborator

This ticket will also handle the use case described in #2077 of filtering out private and reserved IP addresses, e.g.,

  • 10.0.0.0/8 (private)
  • 172.16.0.0/12 (private)
  • 192.168.0.0/16 (private)
  • 169.254.0.0/16 (auto-configuration)
  • 127.0.0.0/8 (loopback)
  • 224.0.0.0 - 239.255.255.255 (multicast)
@robocoder
Collaborator

(In [4533]) fixes #1111 - add support for IPv6 addresses (tracking, anonymization, and exclusion)
fixes #2095 - add new anonymization hook (pre-heuristics)
fixes #2055 - optional IP filter when multiple proxies present
fixes #1775 - SitesManager: supports CIDR notation for IP exclusion

Notes:

  • Installer no longer checks for IPv6, so the related messages should be deleted from translations
  • IPv4 mapped addresses (e.g., ::ffff:127.0.0.1) are no longer re-mapped into IPv4 space
  • users who to query IP addresses from MySQL directly, can use the following SQL, but inet_ntoa() is limited to IPv4 addresses:
select inet_ntoa(conv(hex(location_ip), 16, 10)) from piwik_log_visit;
  • Windows: IPv6 inet_pton()/inet_ntop() not supported until php 5.3; see #2351
@robocoder
Collaborator

The filter fails on IPv6 addresses because the IPv6 address in HTTP-X-Forwarded-Host is in square brackets.

The filter also fails on domain names because the filter assumes the list only contains IP addresses. (Regression)

@robocoder
Collaborator

(In [4539]) refs #2055 - add unit tests

@robocoder
Collaborator

(In [4540]) fixes #2055

@robocoder robocoder added this to the 1.4 - Piwik 1.4 milestone
@robocoder robocoder self-assigned this
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.