Server-side Bruteforce-prevention makes PHP return the server IP instead of the visitor's IP, Matomo geolocation is compromised #16056
Labels
answered
For when a question was asked and we referred to forum or answered it.
The server I'm hosting a few of my Matomo instances on has recently adopted a security measure for preventing bruteforce attacks.
The hosting provider staff says that part of this entails PHP variables such as $_SERVER['REMOTE_ADDR'] will return the local machine external address instead of the visitor's. As a result all the visitors in my Matomo history appear to come from the same city as the server location. Regardless what city, region or nation they visit from.
$_SERVER["HTTP_X_REAL_IP"] is the actual variable to be used on those machines, otherwise a migration to a less secure server will be necessary.
I haven't found a way to address this problem through the config file, in the docs I've only found information as for logging the real IP address when behing a proxy, which isn't my case. Is there any way to set which variable should be called for the IP address value provided by PHP?
The text was updated successfully, but these errors were encountered: