missing HTTP_X_SHOPIFY_CLIENT_IP header

Shopify Partner
15 0 1

Hi !

 

I'm building an app that uses the App Proxy feature. I'm relying on the `HTTP_X_SHOPIFY_CLIENT_IP` header from the proxied request, and quite often this header is missing.

Do you have input on what may cause its absence ? Should we never rely on it?

 

Thanks ! Adrien

0 Likes
Shopify Staff
Shopify Staff
1118 78 156

Hey Adrien, 

 

I haven't been able to replicate the missing header at all. Did you happen to notice if it's only missing when certain events take place by chance? 

 

I'm not aware of any reason for it to be missing off-hand, but if it is essential for you and you find that it's missing sometimes I definitely wouldn't want to recommend relying on it. 

0 Likes
Shopify Partner
15 0 1

Hi @Josh ! Thank you for your answer. I have not noticed anything specific, it feels very random so far. It happens on the same URL for the same devices. I could not find a precise workflow that would trigger it. however it is quite frequent.

 

My Rails code that catches it looks like this:

```rb

if request.headers["HTTP_X_SHOPIFY_CLIENT_IP"].blank?
Monitoring.capture_exception(
Exception.new("missing headers for auth"),
level: 'warning'
)
end

```

 

It's quite hard for me to do what I'm aiming at without this header.

 

What could I do to help you debug this? I could provide you with a unique request identifier that you could look at later? Do you know which ID I should get for you?

 

Thanks! Adrien

0 Likes
Shopify Staff
Shopify Staff
1118 78 156

Hey again Adrien, 

 

We could try the HTTP_X_REQUEST_ID header if you don't mind posting that, if you could grab one from a request that did work and then one that did not that would be an additional bonus (but not a requirement).

 

I'm not sure that our logs will contain enough information to see what is causing this if I'm being honest, but it's certainly worth taking a look. I've sent requests to my own proxy from Chrome, Firefox, Safari, and an HTTP client and they all had an IP address attached - so this one is still very much a mystery I'd like to get to the bottom of.

0 Likes
Highlighted
Shopify Partner
15 0 1

Thanks for taking this seriously @Josh ! I've just added instrumentation to be able to give you these IDs, I'm deploying them and I'll let you know as soon as I have some data. Have a nice day!

0 Likes
Shopify Partner
15 0 1

Hello @Josh ! Here is a first request that just happened on the shop joone-test01.myshopify.com and that didn't have the HTTP_X_SHOPIFY_CLIENT_IP HTTP header. It's `HTTP_X_REQUEST_ID` is : `d7c66797-c2dc-49b6-8522-dc95bf547416`

 

Thanks so much for taking the time and don't hesitate to reach out in private too I'd be happy to provide more information.

 

Have a nice day,

Adrien

0 Likes
Shopify Staff
Shopify Staff
1118 78 156

Hey again Adrien, 

 

Sorry for the delay here - I was away at our Unite conference all last week. 

 

Is there a chance that the request that ID came from is over 12 days old? When I check our logs with it, nothing is there. 

0 Likes
Shopify Partner
15 0 1

Hi @Josh! Thanks for following up and no worries, the conference sounded intense, so many features we're looking forward to !

I don't think the request was 12 days old, but in any case here are a few other random ones from the production shop jooneparis.myshopify.com :


- 63f3fa1a-0b8e-4ed3-b6b7-53d793519799 June 25 2019 08:49:50 CEST

- 177d67b1-76c6-4d26-a6f9-2c5e6b79325b June 25 2019 08:48:11 CEST

ace68225-2ace-4394-ae8c-fa687103d0f0 June 24 2019 22:30:02 CEST

 

(just to repeat, there are the values for the HTTP_X_SHOPIFY_CLIENT_IP header for requests that were missing a HTTP_X_SHOPIFY_CLIENT_IP header)

 

I've setup sentry monitoring for this issue on this rather big shop and here are the volumes for this warning:

 

Screenshot 2019-06-25 at 08.55.32.png

 

Thank you

0 Likes
Shopify Partner
15 1 2

Hi @Josh - You can see all HTTP_* headers forwarded to our server, here: https://smart-eu-cookie-banner.myshopify.com/tools/privacy?debug=true

 

HTTP_X_SHOPIFY_CLIENT_IP is missing, but HTTP_X_FORWARDED_FOR is present. We now have a cascade of if statements to fetch the client address. HTTP_X_FORWARDED_FOR seems to include both the client address and Shopify's proxy server, so we split on ',' and take the first value.

 

Our use case is country detection so we also fall back to Cloudflare's country header, when present. Hope this helps!

0 Likes
Shopify Partner
15 0 1

@Impressthanks for the tip ! I didn't know notice that both addresses were included in the `HTTP_X_FORWARDED_FOR`, I'll try fallbacking on this now

0 Likes