Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong IP extracted from HTTP_X_FORWARDED_FOR when there is more than one #10342

Closed
mvillarl opened this issue Jul 26, 2016 · 3 comments
Closed

Wrong IP extracted from HTTP_X_FORWARDED_FOR when there is more than one #10342

mvillarl opened this issue Jul 26, 2016 · 3 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone
3.0.0-b1

Comments

@mvillarl
Copy link

When Piwik is set up to get the client IP from the proxy header (proxy_client_headers[] setting) and the header contains more than one IP address, the one Piwik uses is the last one; according to the protocol definition, it should be the first one.

See https://tools.ietf.org/html/rfc7239

How to reproduce:

  • Set up Piwik to take into account proxy headers:
    proxy_client_headers[] = HTTP_X_FORWARDED_FOR
  • Disable IP anonymizer
  • Access Piwik in a way that the HTTP_X_FORWARDED_FOR contains more than one IP - either from your network configuration or with a header injection tool
  • If HTTP_X_FORWARDED_FOR contains, for instance: 1.2.3.4, 5.6.7.8 -> Piwik assigns 5.6.7.8 as the client source IP.
@madpsy
Copy link

madpsy commented Aug 8, 2016

A workaround for this is to use a unique header. For example, if using HAProxy in front of Apache you can specify 'option forwardfor header X-Real-Originating-IP' in haproxy.conf and 'HTTP_X_REAL_ORIGINATING_IP' in piwik's config.

At least there is a lot less chance of something else using your custom header.

mattab added a commit that referenced this issue Aug 16, 2016
@mattab
Extract the first IP from HTTP_X_FORWARDED_FOR when there is more tha…
0216991 
…n one

Fixes #10342
mattab added a commit that referenced this issue Aug 16, 2016
@mattab
Extract the first IP from HTTP_X_FORWARDED_FOR when there is more tha…
151310c 
…n one

Fixes #10342
@mattab mattab mentioned this issue Aug 16, 2016
Merged
@mattab
Copy link
Member

mattab commented Aug 16, 2016

Thanks for the report! this pull request was created: #10404
could you test it and report whether this works for you?

@mvillarl
Copy link
Author

Just installed it. I will have to wait a few hours for new traffic to come in, but it looks good! Thank you so much.

mattab added a commit that referenced this issue Sep 19, 2016
@mattab
Extract the first IP from HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP and…
19d711f 
… HTTP_CF_CONNECTING_IP and HTTP_X_FORWARDED_HOST when there is more than one IP (#10404)

* Extract the first IP from HTTP_X_FORWARDED_FOR when there is more than one
Fixes #10342

* Fetch the first IP from a list of IPs

* Return the first non empty IP
@mattab mattab added this to the 3.0.0-b1 milestone Oct 2, 2016
@mattab mattab added Bug For errors / faults / flaws / inconsistencies etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. labels Oct 2, 2016
@mattab mattab closed this as completed Oct 2, 2016
@mattab mattab removed the Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. label Oct 5, 2016
@timdream timdream mentioned this issue Feb 7, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Milestone
3.0.0-b1
Development

No branches or pull requests
3 participants
@mattab @madpsy @mvillarl