Hi. I will try to detail this as easy as possible, maybe this will help more people in the future :
Current setup :
We have an on-premise matomo instance in our corporate environment. It tracks several websites. It resides on a server as a docker container, with another docker container containing an nginx reverse proxy to access matomo (mostly to handle tls).
Current issue :
Some tracked websites are accessed from the internal network (other teams, from 162.0.0.0/8), some are accessed by our users from VPN (from 100.0.0.0/8, some are accessed from the outside world (load balancers IPs are in 150.0.0.0/8). Docker containers talk through 172.0.0.0/8 network (reverse proxy).
We usually either get :
client -> vpn -> reverse proxy -> matomo
client -> internal -> reverse proxy -> matomo
client -> outsideworld -> reverse proxy -> matomo
Currently, Matomo shows these IPs as source in the UI and not the clients IPs. We would like to log the real clients IPs.
Current config :
Regarding proxy configurations (faq/how-to-install/faq_98/) we are using the following in the config.ini.php file :
[General]
; Uncomment line below if you use a standard proxy
proxy_client_headers[] = HTTP_X_FORWARDED_FOR
proxy_host_headers[] = HTTP_X_FORWARDED_HOST
and nginx.conf :
#Matomo nginx config
#made by Quardah Sept 11th 2020
#inspired by : https://github.com/matomo-org/matomo-nginx
server {
listen 443 ssl;
server_name matomo.internal.corp.ca;
access_log /var/log/nginx/matomo.access.log;
error_log /var/log/nginx/matomo.error.log;
ssl_certificate /etc/nginx/conf.d/matomo.internal.corp.pem;
ssl_certificate_key /etc/nginx/conf.d/matomo.key;
add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
client_max_body_size 0;
set_real_ip_from 150.0.0.0/8;
set_real_ip_from 162.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 10.0.0.0/8;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
location / {
proxy_pass http://172.18.0.3:80/;
proxy_read_timeout 900;
proxy_pass_header Server;
proxy_cookie_path ~*^/.* /;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
}
}
# vim: filetype=nginx
My Understanding :
Using these three documentations :
nginx documentation on core modules (ngx_http_core_module.html)
I figured out the remote_addr string should contain the client_ip, and it’s recursively stacked in X-Forwarded-For header.
But i just can’t figure out how to always point to the client IP.
We could also do with simply displaying all X-Forwarded-For IPs to know what path the tracker takes to report the action. If that’s possible that would also be nice and do the job.
The most important ones are the ones coming from clients from the outside world (we need this info) but all their records have IPs in the 150.0.0.0/8
Please let me know what you think, i can also post some more informations if you need.
Thank you for your time.
Quardah
3 posts - 1 participant