Server-side Bruteforce-prevention makes PHP return the server IP instead of the visitor's IP, Matomo geolocation is compromised #16056
Labels
answered
For when a question was asked and we referred to forum or answered it.
Comments
h3x4git
changed the title
|
@h3x4git you need to configure That's probably the FAQ you found and it should in this case also apply to you even though it might not be a proxy. Let me know if this doesn't work for you and I'll be happy to reopen. |
tsteur
added
the
answered
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The server I'm hosting a few of my Matomo instances on has recently adopted a security measure for preventing bruteforce attacks.
The hosting provider staff says that part of this entails PHP variables such as $_SERVER['REMOTE_ADDR'] will return the local machine external address instead of the visitor's. As a result all the visitors in my Matomo history appear to come from the same city as the server location. Regardless what city, region or nation they visit from.
$_SERVER["HTTP_X_REAL_IP"] is the actual variable to be used on those machines, otherwise a migration to a less secure server will be necessary.
I haven't found a way to address this problem through the config file, in the docs I've only found information as for logging the real IP address when behing a proxy, which isn't my case. Is there any way to set which variable should be called for the IP address value provided by PHP?
The text was updated successfully, but these errors were encountered: