All visits have same IP - even after activating proxy_client_headers

mvillar · June 28, 2016, 9:43am

We recently moved our Piwik installation to a new server platform that includes a reverse proxy. Since then, all visits have the same source IP. According to How do I configure Piwik when the server is installed behind a proxy? - Analytics Platform - Matomo , we uncommented the line:

proxy_client_headers[] = HTTP_X_FORWARDED_FOR

But it has no effect! The source IP is still the same, geolocation does not work.

phpinfo(); shows that requests get the HTTP_X_FORWARDED_FOR header with the value:
x.x.x.x, y.y.y.y

where x.x.x.x is the real source IP. Not sure what y.y.y.y is, maybe an intermediate proxy.

Where is the problem? I have searched for similar topics but all of them point to proxy_client_headers[] as a solution. What are we missing?

Thanks in advance.

matthieu · July 1, 2016, 2:34am

It should work to put proxy_client_headers[] = HTTP_X_FORWARDED_FOR below [General] in config.ini.php

mvillar · July 6, 2016, 12:42pm

Thank you for your answer Mathieu. A bit more detail:

the relevant section of our /config/config.ini.php is:

[General]
proxy_client_headers[] = HTTP_X_FORWARDED_FOR
proxy_host_headers[] = HTTP_X_FORWARDED_HOST

All visits in the Visitors in Real time section of the Dashboard appear from source IP X.Y.0.0, which does NOT match the one shown in the REMOTE_ADDR part of the headers. X.Y part is the same but not the last two digits.
The Visitors / Locations panels shows all visits coming from the same place.
As I mentioned, HTTP_X_FORWARDED_FOR shows two IPs sepparated by a comma. The good one is the first one; browsing the code it seemed to me that is takes the last one, but that one does not match X.Y.0.0 either.

There has to be something we are missing. Whan can we do to find the problem?

matthieu · July 8, 2016, 1:30am

Hi there,

Maybe you could enable tracker debugging: Tracking HTTP API: API Reference - Piwik Analytics - Developer Docs - v3

and then take a look at the output.

if you find a bug in Piwik please follow up with us with an issue in the tracker: Issues · matomo-org/piwik · GitHub

mvillar · July 11, 2016, 7:46am

I did, but I’m not sure what to look for. It only says:

“DEBUG: Visitor IP (was: 130.211.0.0) has been anonymized: X.Y…0.0”

But it does not explain where the IP comes from. Should it give more details if it is being extracted from HTTP_X_FORWARDED_FOR instead of REMOTE_ADDR?

matthieu · July 12, 2016, 5:36am

To find out where the IP comes from, (ie. all IP addresses available for piwik to use) you could add the following in piwik.php

\Piwik\Common::printDebug($_SERVER);

just before this line: $response = $tracker->main($handler, $requestSet);

it will print the whole list of server values, including the IP addresses.

mvillar · July 12, 2016, 7:28am

I just did. It shows, as part of the server values:

‘HTTP_X_FORWARDED_FOR’ => ', ',
‘REMOTE_ADDR’ => ‘’,

and then, a few lines below:

DEBUG: Executing Piwik\Plugins\CoreHome\Tracker\VisitRequestProcessor::afterRequestProcessed()…
DEBUG: Visitor IP (was: ) has been anonymized:

is the real IP from where I am connecting. and have the same two first digits. has those same first digits and then 0.0 This IP is nowhere in the server values; not only it is not using the correct one, it appears to truncate it.

matthieu · July 13, 2016, 11:13pm

I’m not sure if some content is maybe missing from your post?

mvillar · July 14, 2016, 9:04am

Oh, right. I didn’t notice that using < and > as placeholders hid the text. Second attempt:

I just did. It shows, as part of the server values:

‘HTTP_X_FORWARDED_FOR’ => ‘[ip1], [ip2]’,
‘REMOTE_ADDR’ => ‘[ip3]’,

and then, a few lines below:

DEBUG: Executing Piwik\Plugins\CoreHome\Tracker\VisitRequestProcessor::afterRequestProcessed()…
DEBUG: Visitor IP (was: [ip4]) has been anonymized: [ip4]

[ip1] is the real IP from where I am connecting. [ip2] and [ip3] have the same two first digits. [ip4] has those same first digits and then 0.0 This IP is nowhere in the server values; not only it is not using the correct one, it appears to truncate it.

matthieu · July 19, 2016, 4:52am

the truncation is due to the privacy IP anonimiser: http://piwik.org/docs/privacy/

mvillar · July 19, 2016, 7:54am

I see. The line

DEBUG: Visitor IP (was: [ip4]) has been anonymized: [ip4]

seems to imply that the truncated IP is there before anonymization.

Still, if I disable the IP anonymizer, the IP that is shown in the real time panel is the same as [ip2].

This matches what I thought I saw in the code: when HTTP_X_FORWARDED_FOR contains more than one IP, the one Piwik keeps is the last one. However, in our case, the real IP that we would want to keep is the first one.

Is there anything that can be done about that, either in Piwik or our proxy?

Thanks again.

matthieu · July 26, 2016, 4:54am

Hi @mvillar - do you mind reporting a bug / issue on our tracker? https://github.com/piwik/piwik/issues

chaiping.peck · April 11, 2017, 6:03am

@mvillar, did you managed to resolve this issue?
Following as I am also encountering similar issue.

mvillar · April 12, 2017, 8:33am

Yes. I reported the bug as instructed by Matthieu and he created a patch. Check

github.com/matomo-org/matomo

Extract the first IP from HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP and HTTP_CF_CONNECTING_IP and HTTP_X_FORWARDED_HOST when there is more than one IP

matomo-org:3.x-dev ← matomo-org:10342b

opened 04:21AM - 16 Aug 16 UTC

mattab

+25 -19

Fixes #10342 - It's hard to know 100% whether this is a correct patch. - The …RFC at https://tools.ietf.org/html/rfc7239 makes it clear that we should extract the first IP from the header `HTTP_X_FORWARDED_FOR` - assuming we have had this bug for 5+ years, some users may have mis-configured their proxy setup especially just for Piwik to detect the "last IP" correctly. Once we start reading the first IP from the list, their geo-location and other features depending on IP address may break -> solution would be to configure the Proxy headers correctly so the first IP returned is the IP of the client. - it is unclear whether it is correct to do so for others as well ie. HTTP_CLIENT_IP and HTTP_CF_CONNECTING_IP and HTTP_X_FORWARDED_HOST , but I assume that it is correct - the CI tests failures are not related to the changes in this PR

I do believe the change was integrated in later versions but I’m not entirely sure.