- Thank you received: 1
Incorrect visitor IP if website uses CloudFlare
- arcturus
- Topic Author
- Offline
- New Member
-
I noticed that visitors IPs are not returned correctly using
Fortunately, CloudFlare adds two (or three) headers with the original customer IP:
A remedy to this would be a conditional fallback on which header can be used, something like
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Administrator
-
- Thank you received: 344
Thank you very much for reporting this. There is only a method to determine offensive IP, so I will change it following your suggestion.
And thank you very much again!
Regards,
Jose
Please Log in or Create an account to join the conversation.
- arcturus
- Topic Author
- Offline
- New Member
-
- Thank you received: 1
I was amazed that even if I added some IPs in the blacklist, most of the IPs reported and blacklisted actually belonged to CloudFlare, so the CloudFlare is blacklisted (and whitelisted, not the hackers).
Keep up the good work!

Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Administrator
-
- Thank you received: 344
To avoid cases like this I added the "avoid proxies" option into Global Configuration -> Tuning. One of the options returns the x-forwarded (and other) headers to determine the real IP and the other the $_SERVER header, but your suggestion seems to improve my code.I was amazed that even if I added some IPs in the blacklist, the IPs reported and blacklisted actually belonged to CloudFlare.
Thank you!!Keep up the good work!
Please Log in or Create an account to join the conversation.
- arcturus
- Topic Author
- Offline
- New Member
-
- Thank you received: 1
Later edit: Actually, if I want to whitelist my current IP, the IP that appears in the SecurityCheck Pro component belongs to CloudFlare.
Later edit: I used that option on and off, but the IP to add to whitelist is still CloudFlares (in this case I would have expected that, if that option is set to „No”, SecutiryCheck Pro to use the real visitor's IP taken from the HTTP_X_FORWARDED_FOR proxy header put by CloudFlare). Maybe some extensive tests would be required.
Please Log in or Create an account to join the conversation.
- Jose
-
- Offline
- Administrator
-
- Thank you received: 344

Regards,
Jose
Please Log in or Create an account to join the conversation.
In order to provide you with the best online experience this website uses cookies.
By using our website, you agree to our use of cookies.
This site is not affiliated with or endorsed by the Joomla! Project. It is not supported or warranted by the Joomla! Project or Open Source Matters. The Joomla! logo is used under a limited license granted by Open Source Matters, the trademark holder in the United States and other countries.
We may collect your IP address and your browser's User Agent string while using our site for security reasons. This information is retained only until we check you're not trying to hack our website.