Inconsistency of IP addresses between Matomo and Apache

MrSoul · May 12, 2026, 1:21pm

Hello,

I’m experiencing some behaviour on my Matomo installation that I can’t quite explain.
Bots are hitting my server, and the IP address differs between Matomo and the Apache logs (I don’t see this inconsistency with regular users).

I have a dedicated server with several Apache virtual hosts sharing the same IP address (I only have one for the whole server): for the virtual hosts in question, I have one running a phpBB forum and another running Matomo. No reverse proxy, no CDN, no load balancer.

In my Apache access logs for the forum’s virtual host, I have this entry (this is just one example among many):
103.155.140.110 - - [12/May/2026:08:42:05 +0200] “GET ``http://forum.domain.net/viewtopic.php?t=7718`` HTTP/1.1” 200 9814 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36”

However, in the Matomo interface, the corresponding visit (same user agent, same page, same timing to within 5 seconds) is recorded with the IP address 45.191.78.107.
I checked directly in the database under matomo_log_visit: the location_ip field does indeed contain 2dbf4e6b (45.191.78.107 in decimal).

I have checked my config.ini.php file: there is no proxy_client_headers[] directive present. I haven’t made any changes to global.ini.php
I have also looked through the source code of core/IP.php, which confirms that without proxy_client_headers, Matomo uses $_SERVER[“REMOTE_ADDR”] directly.

How is it possible that Matomo records a different IP address to the one logged by Apache, given that both are running on the same machine, with no proxy, and that the source code appears to rule out any reading of forged headers?

I’m using the latest version of Matomo (v5.10.0) on PHP 8.3.
The data hasn’t been anonymised yet (I’ll come back to it once I’ve sorted that out and blocked a few more bots)

Thank you in advance.

Jason_1282 · May 12, 2026, 10:00pm

Doesn’t sound too likely perhaps check the Matomo server access log for some thing like.

grep ‘viewtopic.php?t=7718’ /var/log/apache2/matomo-access.log
grep ‘45.191.78.107’ /var/log/apache2/matomo-access.log
grep ‘103.155.140.110’ /var/log/apache2/matomo-access.log

`Just to see if you can find a matching visit.

soardiac · May 13, 2026, 11:13am

Just a guess: You are comparing the IP of the forum page request with the IP of the Matomo tracking request. These are not necessarily the same HTTP request. The url shown by Matomo is just a parameter sent to matomo.php; it can be generated by the JavaScript tracker, by a bot, or by anyone directly calling the Tracking HTTP API.

Please check the Apache access log of the Matomo virtual host, not only the forum vHost, around 12/May/2026:08:42:05. Search for matomo.php, piwik.php, idsite=, rec=1, or the URL-encoded viewtopic.php%3Ft%3D7718. I expect you will find a request from 45.191.78.107.

The absolute request line in your forum log, GET http://forum.domain.net/viewtopic.php?t=7718 HTTP/1.1, is also suspicious. That is proxy-style absolute-form, not the usual origin-form request to a web server. It strongly suggests bot/proxy-scanner traffic.

So Matomo is probably not replacing 103.155.140.110 with 45.191.78.107. It is recording a different request: the tracker hit came from 45.191.78.107, while the forum hit came from 103.155.140.110.

MrSoul · May 13, 2026, 6:20pm

So, to compare:

host phpBB :
103.155.140.110 - - [12/May/2026:08:42:05 +0200] “GET ``http://forum.domain.net/viewtopic.php?t=7718`` HTTP/1.1” 200 9814 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36”

host matomo :
45.191.78.107 - - [12/May/2026:08:42:10 +0200] “POST /matomo.php?action_name=title%20-%20forum&idsite=12&rec=1&r=141799&h=6&m=42&s=7&url=http%3A%2F%``2Fforum.domain.net``%2Fviewtopic.php%3Ft%3D7718&_id=264107000f4ddf81&_idn=1&send_image=0&_refts=0&pv_id=WHnLuY&pf_net=365&pf_srv=878&pf_tfr=75&uadata=%7B%7D&pdf=1&qt=0&realp=0&wma=0&fla=0&java=0&ag=0&cookie=1&res=800x600 HTTP/1.1” 204 4072 “``http://forum.domain.net/”`` “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36”

Both matches have the same timecode (if you factor in the time it takes to load the forum page to trigger Matomo) and the same user agent; it’s clearly the same user triggering this.

So, this has nothing to do with Matomo, but do you have any idea how this bot might change its IP address whilst a page is loading, or at least whilst loading a resource from another domain?

soardiac · May 15, 2026, 2:21pm

The behaviour you’re seeing is consistent with the bot using a rotating proxy pool.

Many scraping services and botnets route each outgoing TCP connection through a different exit node. So the initial GET to your forum went out via 103.155.140.110, and five seconds later the JavaScript tracker fired a separate POST to matomo.php — through a different exit node, 45.191.78.107. From the bot’s perspective it’s the same session; from the network’s perspective it’s two unrelated source IPs.

This also ties in neatly with what I pointed out: the absolute-form request line (GET http://forum.domain.net/… HTTP/1.1) is a classic sign of traffic being sent through an HTTP proxy. The bot was already using a proxy for the first request — it just happened to pick a different one for the tracker call.

So to summarise: Matomo is behaving correctly. It recorded the real REMOTE_ADDR of the matomo.php POST, which came from a different proxy exit node than the one used for the forum page request. There is no bug and no spoofing — just a bot with a rotating proxy pool that happens to execute (or simulate) the JavaScript tracker as a separate request.