Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wrong IP if proxied via CloudFlare #48

Open
SloCompTech opened this issue Dec 22, 2020 · 9 comments
Open

Wrong IP if proxied via CloudFlare #48

SloCompTech opened this issue Dec 22, 2020 · 9 comments

Comments

@SloCompTech
Copy link

Hi,
I'm getting proxy IP instead of client IP, when I have app proxied via CloudFlare. Cloudflare docs we shoud look in CF-Connecting-IP, because value of X-Forwarded-For is same as CF-Connecting-IP only if previous not set (in my example is set with proxy IP). Now I'm getting only proxy IP in X-Forwarded-For.

Example headers I get:

Host: <somehost>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.5
Cdn-Loop: cloudflare
Cf-Connecting-Ip: <CLIENTIP>
Cf-Ipcountry: <someval>
Cf-Ray: <someval>
Cf-Request-Id: <someval>
Cf-Visitor: {"scheme":"https"}
Cookie: _ga=<someval>; __cfduid=<someval>
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 162.158.90.163
X-Forwarded-Host: <somehost>
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: <someval>
X-Real-Ip: 162.158.90.163

@SloCompTech
Copy link
Author

I'm loooking at #47, and there this could be easly changed.

@njbarrett
Copy link

Ive also found this to be an issue. Had to turn off cloudflare proxy until this is resolved

@SloCompTech
Copy link
Author

Looked into pending pull requests and #47 is possible solution for this.

@ad8-bdl
Copy link

ad8-bdl commented Dec 15, 2021

This may have been a transient problem with Cloudflare and/or the OP's environment; Cloudflare are indeed sending X-Forwarded-For per the standard form:

X-Forwarded-For: <client>, <proxy1>, <proxy2>

ref. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

You can verify this yourself by:

  1. creating a CNAME record on your Cf domain, pointing to httpbin.org
  2. enable the Cf proxy for that CNAME
  3. call https://httpbin.yourdomain.com/anything?show_env=1
  4. observe the X-Forwarded-For header string is of the above form, e.g. "X-Forwarded-For": "a.b.c.d, 108.162.250.151" (the former is my client address, the latter is a Cf address)

@alko89
Copy link

alko89 commented Feb 11, 2022

Cloudflare seems to use true-client-ip header for the IP. What about adding an optional parameter to pick a header that would be prioritized when reading IP?

@ad8-bdl
Copy link

ad8-bdl commented Feb 11, 2022

Cloudflare state in their docs https://developers.cloudflare.com/fundamentals/get-started/http-request-headers:

There is no difference between the True-Client-IP and CF-Connecting-IP headers besides the name of the header.

and further that True-Client-IP is only available for traffic on their Enterprise plan.

i.e. CF-Connecting-IP should be used when using Cloudflare.

I would expect any prioritised list of headers would be a major problem: if you happen to not be using one of the lesser priority proxy headers then a malicious user can simple send along a higher priority header with any value they choose. Cloudflare warn of this issue in the above doc (in the section on True-Client-IP).

@k2xl
Copy link

k2xl commented Jul 5, 2022

Has this been resolved? Looking at the library and using cloudflare

@Chheung
Copy link

Chheung commented Jun 18, 2023

I ran into the same issue a day ago, but luckily i forked and adjusted the code long time ago.

You can try it out...
https://github.com/Chheung/request-ip

Usage:

app.use(requestIp.mw(), {
  prioritize: ['cf-connecting-ip'],
});

What it does is reordering header check in https://github.com/pbojinov/request-ip#how-it-works

Related issue: #75

@olivbau
Copy link

olivbau commented Feb 4, 2024

Any news on this one? Has this been resolved?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants