@robocoder
The current implementation relies on user to configure the set of trusted proxy_host_headers and proxy_client_headers, and takes the last IP in a list.
Where there are multiple proxy server IPs, these IPs should be skipped, if any appear in the header.
Note: this isn't a typical use case, but is a feature that I've seen elsewhere (eg Drupal).
Should support CIDR notation (previously suggested for SitesManager in #1775).
For example, CloudFlare's IP range is:
- 204.93.240.0/24
- 204.93.177.0/24
- 199.27.128.0/21
- 173.245.48.0/20
Expressing the last one using wildcards is very tedious, e.g., 173.245.48., 173.245.49., 173.245.50., 173.245.51. ... etc ... 173.245.63.*
This ticket will also handle the use case described in #2077 of filtering out private and reserved IP addresses, e.g.,
- 10.0.0.0/8 (private)
- 172.16.0.0/12 (private)
- 192.168.0.0/16 (private)
- 169.254.0.0/16 (auto-configuration)
- 127.0.0.0/8 (loopback)
- 224.0.0.0 - 239.255.255.255 (multicast)
(In [4533]) fixes #1111 - add support for IPv6 addresses (tracking, anonymization, and exclusion)
fixes #2095 - add new anonymization hook (pre-heuristics)
fixes #2055 - optional IP filter when multiple proxies present
fixes #1775 - SitesManager: supports CIDR notation for IP exclusion
Notes:
- Installer no longer checks for IPv6, so the related messages should be deleted from translations
- IPv4 mapped addresses (e.g., ::ffff:127.0.0.1) are no longer re-mapped into IPv4 space
- users who to query IP addresses from MySQL directly, can use the following SQL, but inet_ntoa() is limited to IPv4 addresses:
select inet_ntoa(conv(hex(location_ip), 16, 10)) from piwik_log_visit;- Windows: IPv6 inet_pton()/inet_ntop() not supported until php 5.3; see #2351
The filter fails on IPv6 addresses because the IPv6 address in HTTP-X-Forwarded-Host is in square brackets.
The filter also fails on domain names because the filter assumes the list only contains IP addresses. (Regression)
(In [4539]) refs #2055 - add unit tests
(In [4540]) fixes #2055