IP::getNonProxyIpFromHeader retrieves final proxy instead of client · matomo-org/matomo#7060

(8 comments) (0 reactions) (0 assignees)PHP (21,513 stars) (2,847 forks)batch import

BugHelp wanted

Description

IP::getNonProxyIpFromHeader attempts to retrieve the client IP address from headers configured in proxy_client_headers[]. This calls IP::getLastIpFromList, excluding proxies configured via proxy_ips[].

What I do not understand is why by default this returns the last IP, whereas the format for X-Forwarded-For is client, proxy1, proxy2, ...: http://en.wikipedia.org/wiki/X-Forwarded-For#Format

This only becomes an issue when running Piwik behind multiple proxies; for example the configuration in question is:

[Enterprise Appliance] => [IIS ARR] => [Piwik]

So Piwik sees:

X-Forwarded-For: <client>, <enterprise_appliance>

Basically the current behavior would seem to select the IP of the last proxy by default. This would be problematic in a scenario with variable proxy IPs.

Contributor guide

Tech stack: php
Domain: backend
Issue type: bug
Difficulty: 3
Estimated time: 1-3 hours
Activity status: stale
Clarity: clear
Prerequisites: PHPX Forwarded For header formatproxy configuration
Newbie friendliness: 45
Research direction: Examine the implementation of `IP::getNonProxyIpFromHeader` and `IP::getLastIpFromList` in core/IP.php. Understand the expected format of X Forwarded For (client, proxy1, proxy2). The current code returns the last IP, which is the proxy; it should return the first IP (client). Consider modifying the logic to retrieve the first IP instead of the last, ensuring any proxy IPs are still excluded. Check for any existing tests related to IP handling.