request-ip icon indicating copy to clipboard operation
request-ip copied to clipboard

Published 20 hours ago verified publisher icon pbojinov

Wrong IP if proxied via CloudFlare

Open SloCompTech opened this issue 3 years ago • 9 comments

Hi, I'm getting proxy IP instead of client IP, when I have app proxied via CloudFlare. Cloudflare docs we shoud look in CF-Connecting-IP, because value of X-Forwarded-For is same as CF-Connecting-IP only if previous not set (in my example is set with proxy IP). Now I'm getting only proxy IP in X-Forwarded-For.

Example headers I get:

Host: <somehost>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.5
Cdn-Loop: cloudflare
Cf-Connecting-Ip: <CLIENTIP>
Cf-Ipcountry: <someval>
Cf-Ray: <someval>
Cf-Request-Id: <someval>
Cf-Visitor: {"scheme":"https"}
Cookie: _ga=<someval>; __cfduid=<someval>
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 162.158.90.163
X-Forwarded-Host: <somehost>
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: <someval>
X-Real-Ip: 162.158.90.163

SloCompTech avatar Dec 22 '20 11:12 SloCompTech

I'm loooking at #47, and there this could be easly changed.

SloCompTech avatar Dec 22 '20 11:12 SloCompTech

Ive also found this to be an issue. Had to turn off cloudflare proxy until this is resolved

njbarrett avatar Jan 11 '21 11:01 njbarrett

Looked into pending pull requests and #47 is possible solution for this.

SloCompTech avatar Feb 02 '21 20:02 SloCompTech

This may have been a transient problem with Cloudflare and/or the OP's environment; Cloudflare are indeed sending X-Forwarded-For per the standard form:

X-Forwarded-For: <client>, <proxy1>, <proxy2>

ref. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

You can verify this yourself by:

  1. creating a CNAME record on your Cf domain, pointing to httpbin.org
  2. enable the Cf proxy for that CNAME
  3. call https://httpbin.yourdomain.com/anything?show_env=1
  4. observe the X-Forwarded-For header string is of the above form, e.g. "X-Forwarded-For": "a.b.c.d, 108.162.250.151" (the former is my client address, the latter is a Cf address)

ad8-bdl avatar Dec 15 '21 06:12 ad8-bdl

Cloudflare seems to use true-client-ip header for the IP. What about adding an optional parameter to pick a header that would be prioritized when reading IP?

alko89 avatar Feb 11 '22 08:02 alko89

Cloudflare state in their docs https://developers.cloudflare.com/fundamentals/get-started/http-request-headers:

There is no difference between the True-Client-IP and CF-Connecting-IP headers besides the name of the header.

and further that True-Client-IP is only available for traffic on their Enterprise plan.

i.e. CF-Connecting-IP should be used when using Cloudflare.

I would expect any prioritised list of headers would be a major problem: if you happen to not be using one of the lesser priority proxy headers then a malicious user can simple send along a higher priority header with any value they choose. Cloudflare warn of this issue in the above doc (in the section on True-Client-IP).

ad8-bdl avatar Feb 11 '22 10:02 ad8-bdl

Has this been resolved? Looking at the library and using cloudflare

k2xl avatar Jul 05 '22 02:07 k2xl

I ran into the same issue a day ago, but luckily i forked and adjusted the code long time ago.

You can try it out... https://github.com/Chheung/request-ip

Usage:

app.use(requestIp.mw(), {
  prioritize: ['cf-connecting-ip'],
});

What it does is reordering header check in https://github.com/pbojinov/request-ip#how-it-works

Related issue: #75

Chheung avatar Jun 18 '23 11:06 Chheung

Any news on this one? Has this been resolved?

olivbau avatar Feb 04 '24 23:02 olivbau