GeoIp

Throws error when not finding special IP-address taken from HTTP_X_FORWARDED_FOR in GeoIP2 database

4 months 4 weeks ago #92571

Finews AG's Avatar Finews AG

We have visitors on our website from behind a proxy with a HTTP_X_FORWARDED_FOR value set to an IP address from within the range of 172.16.0.0 - 172.31.255.255. This is a commonly used special block of private addresses which are not contained in the GeoIP2 database and subsequently the plugin throws an error "The address $ipAddress is not in the database." and prevents the website from further loading. (latest version GeoIP 3.0.3.)

4 months 4 weeks ago #92572

Peter van Westen's Avatar Peter van Westen Admin

Please try the latest development version from:
www.regularlabs.com/development-releases

4 months 4 weeks ago #92575

Finews AG's Avatar Finews AG

Thank you, this works! The issue described has been solved by your amendement to GeoIp.php. Btw: As you certainly are aware of, whether or not to use HTTP_X_FORWARDED_FOR at all and if so in which order against REMOTE_ADDR and HTTP_CLIENT_IP is quite controversial, also considering that we just want the approximate geolocation of a visitor.

4 months 4 weeks ago #92578

Peter van Westen's Avatar Peter van Westen Admin

As far as I am aware, in most cases is the HTTP_X_FORWARDED_FOR is set, it will hold the real IP as apposed to the other server values (which are more likely to contain the IP of the proxy server).
So what do you mean by "quite controversial"?

4 months 3 weeks ago #92632

Finews AG's Avatar Finews AG

Just search in Google for «http_x_forwarded_for vs remote_addr», read a few of the top results and you will realize what I meant by «quite controversial». Something I've found there for example is the following statement: $_SERVER 'REMOTE_ADDR' is the only reliable field that's not influenced by the remote user, all others are parsed from headers and can be forged by the client.

In my case, what made me contacting you in this forum, is that the company operating the proxy (its own and from behind which we had visitors on our website) set the http_x_forwarded_for header to an IP-address which is formally correct but does not really exist, as it is from a special block of private addresses which are not contained in the GeoIP2 database. That certainly doesn't help much if the main goal of this plugin is to determine a visitors geolocation.

If it's all about identifying a client based on his own unique IP-address, I would say that it's appropriate to check for HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP, HTTP_CLIENT_IP in that order and if none it these are set, then going for the REMOTE_ADDR. But as we only need more or less accurate information on geolocation, I think it would be better to even get a proxy's geolocation than ending up with nothing. Deluxe version would be of course if we could go through all steps (as listed above) and if it's non-empty and a valid IP, check in the GeoIP2 database, but if the IP is not found proceed to the next available server variable and not immediately throw an error.

4 months 3 weeks ago #92634

Peter van Westen's Avatar Peter van Westen Admin

That company is trying to tell the browser that its location is the proxy IP.
What would for example a page like this result in on those computers?
whatismyipaddress.com/

4 months 3 weeks ago #92635

Finews AG's Avatar Finews AG

This page takes the $_SERVER 'REMOTE_ADDR' which is the IP of the company's proxy and shows information on that device, respectively geolocatioin of the ISP.

4 months 3 weeks ago #92638

Peter van Westen's Avatar Peter van Westen Admin

It's all down to what approach is taken.
In most PHP scripts that try to collect the true IP address, the order of searching is:
- HTTP_CLIENT_IP
- otherwise HTTP_X_FORWARDED_FOR
- otherwise REMOTE_ADDR as the fallback.

In most cases, if a client is behind a proxy, the HTTP_X_FORWARDED_FOR will contain the true IP (location) whilst the REMOTE_ADDR would possible contain the IP of the proxy.

So I guess you can't make everybody happy in every case.

4 months 3 weeks ago #92671

Finews AG's Avatar Finews AG

When checking if IP is valid, it would help to exclude/reject IP addresses from reserved address blocks (10.0. 0.0 to 10.255. 255.255./172.16. 0.0 to 172.31. 255.255./192.168. 0.0 to 192.168. 255.255.) as those are not contained in the GeoIP2 database.

4 months 3 weeks ago #92672

Peter van Westen's Avatar Peter van Westen Admin

Please try the latest development version from:
www.regularlabs.com/development-releases

4 months 3 weeks ago #92673

Finews AG's Avatar Finews AG

Thank you for the development release. Did some testing with various IPv4 addresses and seems to work as expected and without errors. But what happens if either one of the tested $_SERVER variables contains an IPv6 address or multiple IP addresses or an IPv4 and IPv6 address? And what about using PHP Filters to validate addresses? On the following page I found some interesting solutions: stackoverflow.com/questions/1634782/what...ct-ip-address-in-php

4 months 3 weeks ago #92674

Peter van Westen's Avatar Peter van Westen Admin

Currently there is no support for multiple IPs or IPv6. There are plans to support that in the future, but I can't say when that will be.