@mvillarl opened this Issue on July 26th 2016

When Piwik is set up to get the client IP from the proxy header (proxy_client_headers[] setting) and the header contains more than one IP address, the one Piwik uses is the last one; according to the protocol definition, it should be the first one.

See https://tools.ietf.org/html/rfc7239

How to reproduce:

  • Set up Piwik to take into account proxy headers:
    proxy_client_headers[] = HTTP_X_FORWARDED_FOR
  • Disable IP anonymizer
  • Access Piwik in a way that the HTTP_X_FORWARDED_FOR contains more than one IP - either from your network configuration or with a header injection tool
  • If HTTP_X_FORWARDED_FOR contains, for instance:, -> Piwik assigns as the client source IP.
@madpsy commented on August 8th 2016

A workaround for this is to use a unique header. For example, if using HAProxy in front of Apache you can specify 'option forwardfor header X-Real-Originating-IP' in haproxy.conf and 'HTTP_X_REAL_ORIGINATING_IP' in piwik's config.

At least there is a lot less chance of something else using your custom header.

@mattab commented on August 16th 2016 Member

Thanks for the report! this pull request was created: https://github.com/piwik/piwik/pull/10404
could you test it and report whether this works for you?

@mvillarl commented on August 19th 2016

Just installed it. I will have to wait a few hours for new traffic to come in, but it looks good! Thank you so much.

This Issue was closed on October 2nd 2016
Powered by GitHub Issue Mirror