Visitor action displays 127.0.0.1

CoffeeCoder · October 18, 2020, 5:19pm

Hi, I was looking through my analytics and I noticed there is a number of what I am assuming are bots from China and North Africa where their Action is displayed as: http:// 127.0.0.1/

I was wondering why the ip is showing as a localhost ip? Is it a misconfiguration somewhere on my part? I am also using the php tracker for my analytics.

Most other actions show a user either entering https://www. example.com or other bots showing http:// 1.2.3.4:80/

analytic_action

Lukas · October 19, 2020, 7:53am

Hi,

If your visitor IPs show up as a local IP, your webserver might be behind a reverse proxy and you have to configure Matomo accordingly:
https://matomo.org/faq/how-to-install/faq_98/

CoffeeCoder · October 19, 2020, 2:31pm

I have attached a modified version of a rough average of what I can see. I am able to see visitor IP addresses, browser/os/device info etc. I have just noticed on the visitor logs where the action is the localhost IP there is no information at all except their IP address. The browser/os/device information is blank and when you hover over where it should be the tooltip says it’s unknown.

The first user is someone that has entered via the domain name, the second is a bot attempting to connect on port 80 (which I redirect to a broken url) and the third is the unknown user.

Looking at the link you provided, the server isn’t set up as a reverse proxy though I did notice the part about being in a sub path. My Matomo install path is https://www.example.co.uk/stats/matomo, not sure if that would cause any issues.

Lukas · October 19, 2020, 2:53pm

Hi,

Sorry, I didn’t read your post properly. This is of course somethin completly different.

Is the Matomo code maybe also included in the development version of your website and some developer is developing the site locally and being tracked while doing this?

Or someone downloaded your website (including the tracking code) and is browsing it locally. Or some bot/crawler is misconfigured and also executing the Matomo JS code.

In the website settings you can instruct Matomo to drop tracking data that doesn’t contain the URL of your website.

CoffeeCoder · October 19, 2020, 4:08pm

Looking at the possibilities you have listed, my development version is tested locally on a different computer without any tracking installed and uploaded to the remote server when going live, and I am the only developer of the site.

I tried navigating my site on the remote machine with Lynx using the localhost IP and I was able to recreate what I am seeing from the Chinese IP address’. I guess would that would mean that the site has been scraped by a bot which is triggering the analytics. However I am not using the javascript code I am using the PHP tracking so that info shouldn’t be downloaded by a scrapper.

My pages look something like this:

<?php
	require_once("/path/outside/root/dir/matomoPHPtracker/MatomoTracker.php");
	$settings = parse_ini_file('/path/outside/root/dir/file.ini', true);

	$matomoSiteId = $settings['m']['id'];
	$matomoUrl = $settings['m']['url'];	
	$matomoToken = $settings['m']['token'];

	// Optional variable
	$matomoPageTitle = "Page Title";

	$matomoTracker = new MatomoTracker((int)$matomoSiteId, $matomoUrl);
	$matomoTracker->setTokenAuth($matomoToken);
	$matomoTracker->doTrackPageView($matomoPageTitle);
?>
<!DOCTYPE html>
<html lang="en">
	<head></head>
	<body>
		content stuff
	</body>
</html>

Edit: I also just cheked my remote machine access logs and I don’t see any activity other than my own

Lukas · October 19, 2020, 4:39pm

Hi,

That info helps a bit:

The Matomo PHP tracking uses the following code to construct the URL of the current page that is then sent to Matomo:

github.com

matomo-org/matomo-php-tracker/blob/adc5d826dfffee2208423e194a5f59ffec18c35a/MatomoTracker.php#L1925-L1937


/**
 * Returns the current full URL (scheme, host, path and query string.
 *
 * @return string
 * @ignore
 */
protected static function getCurrentUrl()
{
    return self::getCurrentScheme() . '://'
    . self::getCurrentHost()
    . self::getCurrentScriptName()
    . self::getCurrentQueryString();
}

And the domain part is directly taken from the HOST header of the visitor:

github.com

matomo-org/matomo-php-tracker/blob/adc5d826dfffee2208423e194a5f59ffec18c35a/MatomoTracker.php#L1897-L1905


protected static function getCurrentHost()
{
    if (isset($_SERVER['HTTP_HOST'])) {
        return $_SERVER['HTTP_HOST'];
    }

    return 'unknown';
}

This means that if someone sends localhost as the HOST header of the request to your website, this is what will show up in Matomo.

And in theory someone could also make sure that their website URL shows up by making a request like curl -H "Host:https://attackerwebsite.example" https://yourwebsite.example.

I think it is a good practice to set up your webserver to only deliver your website website if the HOST header matches your URL as not doing so could in combination with other things lead to vulnerabilities like Host header attacks. This is also the reason why Matomo has the trusted_hosts[] setting in the config.ini.php.

CoffeeCoder · October 19, 2020, 10:00pm

Thanks for the help, I have recongifured the server settings to check the equality of host headers and have kept an eye on the logs over the past few hours and so far I havn’t had any more localhost ip sources come in.