Piwik_Common::getIP() - filter for public IP or from trusted proxy #567
Comments
|
Also, it looks like there are a couple of unreachable codepaths in the current implementation of getIp(). [be reviewed](to) |
|
Rolling requirements into #43. |
|
Re-opening as a separate ticket. |
|
For intranets, this may be undesirable. So, I'm guessing we'd want to make this configureable. See #1054 use case. |
|
Why is it not desirable for intranets? I'm afraid my network knowledge is limited. |
|
intranets tend to use ip addresses in the private ip address ranges; excluding these would be bad unless configurable. |
|
(In [2013]) refs #567 / comment:ticket:567:1 - clean up getIp() |
|
(In [3211]) fixes #567 |
|
(In [3225]) refs #567 |
|
(In [3226]) refs #567 |
|
(In [3232]) refs #567 |
|
This fix was undone by work in #1897, and needs to be revisited. |
|
The fix is to use the last IP in the comma separated list. |
|
(In [3463]) fixes #567 |
Currently, getIp() only returns a single client IP address, looking at HTTP_CLIENT_IP, HTTP_X_FORWARD_FOR (XFF), and REMOTE_ADDR (in that order).
It’s possible that getIp() returns a private IP address. We should make it configurable to return the first “public” IP address which can be geolocated, unless you want the current behavior (e.g., #1054 intranet subnet identification).
These are some private IP address ranges:
- 10.0.0.0 – 10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
Another consideration is XFF spoofing (increasing popular with various browser addons). Perhaps we should log both the result from getIp() and REMOTE_ADDR?
(Above two scenarios may or may not involve a reverse proxy.)
Another consideration is #1553 … the IP address from PiwikTracker should override any logic here.
The text was updated successfully, but these errors were encountered: