request-ip
request-ip copied to clipboard
Wrong IP if proxied via CloudFlare
Hi,
I'm getting proxy IP instead of client IP, when I have app proxied via CloudFlare. Cloudflare docs we shoud look in CF-Connecting-IP
, because value of X-Forwarded-For
is same as CF-Connecting-IP
only if previous not set (in my example is set with proxy IP). Now I'm getting only proxy IP in X-Forwarded-For
.
Example headers I get:
Host: <somehost>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.5
Cdn-Loop: cloudflare
Cf-Connecting-Ip: <CLIENTIP>
Cf-Ipcountry: <someval>
Cf-Ray: <someval>
Cf-Request-Id: <someval>
Cf-Visitor: {"scheme":"https"}
Cookie: _ga=<someval>; __cfduid=<someval>
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 162.158.90.163
X-Forwarded-Host: <somehost>
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: <someval>
X-Real-Ip: 162.158.90.163
I'm loooking at #47, and there this could be easly changed.
Ive also found this to be an issue. Had to turn off cloudflare proxy until this is resolved
Looked into pending pull requests and #47 is possible solution for this.
This may have been a transient problem with Cloudflare and/or the OP's environment; Cloudflare are indeed sending X-Forwarded-For
per the standard form:
X-Forwarded-For: <client>, <proxy1>, <proxy2>
ref. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
You can verify this yourself by:
- creating a CNAME record on your Cf domain, pointing to httpbin.org
- enable the Cf proxy for that CNAME
- call https://httpbin.yourdomain.com/anything?show_env=1
- observe the X-Forwarded-For header string is of the above form, e.g. "X-Forwarded-For": "a.b.c.d, 108.162.250.151" (the former is my client address, the latter is a Cf address)
Cloudflare seems to use true-client-ip
header for the IP. What about adding an optional parameter to pick a header that would be prioritized when reading IP?
Cloudflare state in their docs https://developers.cloudflare.com/fundamentals/get-started/http-request-headers:
There is no difference between the True-Client-IP and CF-Connecting-IP headers besides the name of the header.
and further that True-Client-IP
is only available for traffic on their Enterprise plan.
i.e. CF-Connecting-IP
should be used when using Cloudflare.
I would expect any prioritised list of headers would be a major problem: if you happen to not be using one of the lesser priority proxy headers then a malicious user can simple send along a higher priority header with any value they choose. Cloudflare warn of this issue in the above doc (in the section on True-Client-IP
).
Has this been resolved? Looking at the library and using cloudflare
I ran into the same issue a day ago, but luckily i forked and adjusted the code long time ago.
You can try it out... https://github.com/Chheung/request-ip
Usage:
app.use(requestIp.mw(), {
prioritize: ['cf-connecting-ip'],
});
What it does is reordering header check in https://github.com/pbojinov/request-ip#how-it-works
Related issue: #75
Any news on this one? Has this been resolved?