Home
/
Forum
/
Securitycheck Pro
/
Bug report
/
.htaccess protection

Incorrect visitor IP if website uses CloudFlare

arcturus
Topic Author
Offline
Fresh Boarder

1 month 2 weeks ago - 1 month 2 weeks ago #7388 by arcturus

Incorrect visitor IP if website uses CloudFlare was created by arcturus

Hello developers,

I noticed that visitors IPs are not returned correctly using

$_SERVER['REMOTE_ADDR']

if the website uses CloudFlare (this instruction returns the IP of the CloudFlare nearest mirror of the website).
Fortunately, CloudFlare adds two (or three) headers with the original customer IP:

$_SERVER['HTTP_X_FORWARDED_FOR']

and

$_SERVER['HTTP_CF_CONNECTING_IP']

(and

$_SERVER['HTTP_TRUE_CLIENT_IP']

if it's the Enterprise paid plan).

$_SERVER['REMOTE_ADDR']

is used in about 5 files of SecurityCheck Pro.

A remedy to this would be a conditional fallback on which header can be used, something like

if (isset($_SERVER['HTTP_TRUE_CLIENT_IP'])) $ip = $_SERVER['HTTP_TRUE_CLIENT_IP']; # CloudFlare specific header for enterprise paid plan, compatible with other vendors
elseif (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) $ip = $_SERVER['HTTP_CF_CONNECTING_IP']; # another CloudFlare specific header available in all plans, including the free one
elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; # specific header for proxies
elseif (isset($_SERVER['REMOTE_ADDR'])) $ip = $_SERVER['REMOTE_ADDR']; # this one would be used, if no header of the above is present

Last edit: 1 month 2 weeks ago by arcturus. Reason: Some code was removed by the editor.

The following user(s) said Thank You: Jose

Please Log in or Create an account to join the conversation.

Jose
Offline
Moderator

1 month 2 weeks ago #7389 by Jose

Replied by Jose on topic Incorrect visitor IP if website uses CloudFlare

Hi arcturus,

Thank you very much for reporting this. There is only a method to determine offensive IP, so I will change it following your suggestion.

And thank you very much again!

Regards,
Jose

Please Log in or Create an account to join the conversation.

arcturus
Topic Author
Offline
Fresh Boarder

1 month 2 weeks ago - 1 month 1 week ago #7390 by arcturus

Replied by arcturus on topic Incorrect visitor IP if website uses CloudFlare

You're welcome.
I was amazed that even if I added some IPs in the blacklist, most of the IPs reported and blacklisted actually belonged to CloudFlare, so the CloudFlare is blacklisted (and whitelisted, not the hackers).
Keep up the good work!

Last edit: 1 month 1 week ago by arcturus.

Please Log in or Create an account to join the conversation.

Jose
Offline
Moderator

1 month 2 weeks ago #7391 by Jose

Replied by Jose on topic Incorrect visitor IP if website uses CloudFlare

I was amazed that even if I added some IPs in the blacklist, the IPs reported and blacklisted actually belonged to CloudFlare.

To avoid cases like this I added the "avoid proxies" option into Global Configuration -> Tuning. One of the options returns the x-forwarded (and other) headers to determine the real IP and the other the $_SERVER header, but your suggestion seems to improve my code.

Keep up the good work!

Thank you!!

Please Log in or Create an account to join the conversation.

arcturus
Topic Author
Offline
Fresh Boarder

1 month 2 weeks ago - 1 month 1 week ago #7392 by arcturus

Replied by arcturus on topic Incorrect visitor IP if website uses CloudFlare

I checked that option for a long time (and still, the situation described above occurred).

Later edit: Actually, if I want to whitelist my current IP, the IP that appears in the SecurityCheck Pro component belongs to CloudFlare.

Later edit: I used that option on and off, but the IP to add to whitelist is still CloudFlares (in this case I would have expected that, if that option is set to „No”, SecutiryCheck Pro to use the real visitor's IP taken from the HTTP_X_FORWARDED_FOR proxy header put by CloudFlare). Maybe some extensive tests would be required.

Last edit: 1 month 1 week ago by arcturus.

Please Log in or Create an account to join the conversation.

Jose
Offline
Moderator

1 month 2 weeks ago #7393 by Jose

Replied by Jose on topic Incorrect visitor IP if website uses CloudFlare

Yes, I didn't know your explanation about cloudflare's headers. So I will improve my code with yours

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.057 seconds

Incorrect visitor IP if website uses CloudFlare

In order to provide you with the best online experience this website uses cookies.

Login or Sign In