Froxlor
Froxlor copied to clipboard
Feature Request: Behind-a-reverse-proxy-support (e.g. Cloudflare)
Problem
Reverse proxy are getting more usual, and Cloudflare is a very common one offering a lot of benefits. However there are also changes required on the server-side to get the real IP of the visitor, and not the Cloudflare Edge IP address which is contacting the origin server, like Froxlor in this case.
Idea
Having new configuration options when editing a (sub)domain:
- "Is behind a reverse proxy?": boolean. Set if domain is behind a reverse proxy or not.
- "Trusted IP addresses": string. A set range of IP addresses from the reverse proxy, which determines if the real IP should be read from the
X-Forwarded-For
header instead. - "real_ip_recursive": boolean. I'm not sure if this is needed. Might be nginx-specific.
Ressources
- http://nginx.org/en/docs/http/ngx_http_realip_module.html
It's 2022, it's mandatory... By the way, it is also a joke that there are no sessions in cookies
Hello, I use froxlor with cloudflare, and it works very well, it is only necessary to make a change, in my case in apache2.
Greetings.
The various scenarios I encoutered didn't have any issues if behind cloudflare or similar
@d00p I'm not sure why this was closed?
When you have Cloudflare in front of the websites, you won't see the real IP in the logs and in PHP, as Cloudflare proxies it as a reverse proxy/. This behavior is typical for a reverse proxy.
Even see the Cloudflare documentation: https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/#web-server-instructions
Cloudflare even have a API to query for their Edge IPs to be used with set_real_ip_from
:
https://www.cloudflare.com/ips-v4
https://www.cloudflare.com/ips-v6
This is required for nginx and apache. Therefore a native integration for Cloudflare would be handy, and also a setting to use set_real_ip_from
for own-configured reverse proxies.
As those IPs change from Cloudflare, this needs to be automated and the webserver also reloaded on changes.
For example I do have several websites behind a load balancer, hence not seeing the real IPs on the Froxlor instance. This requires said configuration value to be set.