Menu

Topic-icon Incorrect visitor IP if website uses CloudFlare

  • arcturus
  • arcturus's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
7 months 3 weeks ago - 7 months 3 weeks ago #7388 by arcturus
Hello developers,

I noticed that visitors IPs are not returned correctly using
$_SERVER['REMOTE_ADDR']
if the website uses CloudFlare (this instruction returns the IP of the CloudFlare nearest mirror of the website).
Fortunately, CloudFlare adds two (or three) headers with the original customer IP:
$_SERVER['HTTP_X_FORWARDED_FOR']
and
$_SERVER['HTTP_CF_CONNECTING_IP']
(and
$_SERVER['HTTP_TRUE_CLIENT_IP']
if it's the Enterprise paid plan).
$_SERVER['REMOTE_ADDR']
is used in about 5 files of SecurityCheck Pro.

A remedy to this would be a conditional fallback on which header can be used, something like
if (isset($_SERVER['HTTP_TRUE_CLIENT_IP'])) $ip = $_SERVER['HTTP_TRUE_CLIENT_IP']; # CloudFlare specific header for enterprise paid plan, compatible with other vendors
elseif (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) $ip = $_SERVER['HTTP_CF_CONNECTING_IP']; # another CloudFlare specific header available in all plans, including the free one
elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; # specific header for proxies
elseif (isset($_SERVER['REMOTE_ADDR'])) $ip = $_SERVER['REMOTE_ADDR']; # this one would be used, if no header of the above is present
Last edit: 7 months 3 weeks ago by arcturus. Reason: Some code was removed by the editor.
The following user(s) said Thank You: Jose

Please Log in or Create an account to join the conversation.

More
7 months 3 weeks ago #7389 by Jose
Hi arcturus,

Thank you very much for reporting this. There is only a method to determine offensive IP, so I will change it following your suggestion.

And thank you very much again!

Regards,
Jose

Please Log in or Create an account to join the conversation.

  • arcturus
  • arcturus's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
7 months 3 weeks ago - 7 months 3 weeks ago #7390 by arcturus
You're welcome.
I was amazed that even if I added some IPs in the blacklist, most of the IPs reported and blacklisted actually belonged to CloudFlare, so the CloudFlare is blacklisted (and whitelisted, not the hackers).
Keep up the good work! :-)
Last edit: 7 months 3 weeks ago by arcturus.

Please Log in or Create an account to join the conversation.

More
7 months 3 weeks ago #7391 by Jose

I was amazed that even if I added some IPs in the blacklist, the IPs reported and blacklisted actually belonged to CloudFlare.

To avoid cases like this I added the "avoid proxies" option into Global Configuration -> Tuning. One of the options returns the x-forwarded (and other) headers to determine the real IP and the other the $_SERVER header, but your suggestion seems to improve my code.

Keep up the good work! :-)

Thank you!!

Please Log in or Create an account to join the conversation.

  • arcturus
  • arcturus's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
7 months 3 weeks ago - 7 months 3 weeks ago #7392 by arcturus
I checked that option for a long time (and still, the situation described above occurred).

Later edit: Actually, if I want to whitelist my current IP, the IP that appears in the SecurityCheck Pro component belongs to CloudFlare.

Later edit: I used that option on and off, but the IP to add to whitelist is still CloudFlares (in this case I would have expected that, if that option is set to „No”, SecutiryCheck Pro to use the real visitor's IP taken from the HTTP_X_FORWARDED_FOR proxy header put by CloudFlare). Maybe some extensive tests would be required.
Last edit: 7 months 3 weeks ago by arcturus.

Please Log in or Create an account to join the conversation.

More
7 months 3 weeks ago #7393 by Jose
Yes, I didn't know your explanation about cloudflare's headers. So I will improve my code with yours :)

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.329 seconds
Powered by Kunena Forum

Login or Sign In