We're Hiring!

Mattermost, Inc.

Feature Request Discussion | Misinformation in "Access History" in Mattermost

I noticed something a while ago - If you are looking at the Mattermost user logs, or at your own login security, such as the following image, you are shown the IP address of the local server running the Mattermost instance. This image is from the Mattermost Community Server, where I viewed my Access History.


I believe that a feature request or code change - with a corresponding update to the documentation - that reflects the implementation of acceptance and compatibility from the web client to the internal server, the usage of HTTP headers such as X-Forwarded-For, CF-Connecting-IP, and so on. This would allow simple implementation of each header to be read as the RemoteIPOrigin. In turn, this would in theory allow the actual IP addresses of the user’s to be shown in the logs, instead of the servers own local address, and also provide a reason to give users the option to disable tracking of their IP altogether, which would be helpful to this thread about GDPR compliance regarding IP tracking.

What are your thoughts on this, and potentially implementing this change? I’d appreciate any feedback/user debate about it!

1 Like

Hey @XxLilBoPeepsxX, thanks for your report!

This is indeed a bug affecting Mattermost Cloud workspaces. Our team had previously identified the issue and are actively working on a fix. It should not affect on-prem deployments as long as the HTTP headers are configured correctly.

1 Like

Of course! I wanted to also put a word in because something has been triggering my on-prem install to log the loopback IP address at seemingly-random times when it usually is grabbing the correct IP addresses even through Cloudflare.