zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[ENHANCEMENTS] Support CF_IPCountry for geolocating

Open colthouse opened this issue 3 months ago • 7 comments

Is your feature request related to a problem? Please describe. I host multiple websites behind Cloudflare. Since Cloudflare doesn't append the Origin IP (unless for Enterprise users) Zoraxy thinks every request coming through Cloudflare comes from the Cloudflare server itself.

This is a problem for me because I have Access Rules setup that won't work because of that.

Describe the solution you'd like Some kind of toggle on every Proxy Rule that says behind Cloudflare. When this toggle is active it'll use CF_IPCountry instead of the IP address to determine the origin of the request. Then the Access Rule feature would still work.

I think a toggle would be a good idea. Otherwise someone might just add the IP_IPCountry header to bypass Access Rules.

Additional context https://developers.cloudflare.com/network/ip-geolocation/

colthouse avatar Sep 24 '25 09:09 colthouse

@colthouse Yes, I think this is possible. However in that case you will also need to have a list of whitelist ip which Zoraxy need to trust for the IP_IPCountry header, otherwise this might be a security thread.

And no, automatically fetch CF server ips from Cloudflare website is not a feasible implementation as that introduce external dependencies, in which such architecture is what I am trying to avoid if possible.

tobychui avatar Sep 24 '25 11:09 tobychui

we could hardcode cloudflare's IP ranges, I don't think they change very often

AnthonyMichaelTDM avatar Oct 01 '25 06:10 AnthonyMichaelTDM

we could hardcode cloudflare's IP ranges, I don't think they change very often

No, but as a temporary workaround we can have a trusted_ip.json file under conf and load from there instead.

tobychui avatar Oct 01 '25 07:10 tobychui

that is a more flexible approach

AnthonyMichaelTDM avatar Oct 01 '25 07:10 AnthonyMichaelTDM

I was mistaken, Cloudflare does send the IP address in its requests. To be more specific it sets the X-Real-Ip, X-Forwarded-For and Cf-Connecting-Ip headers that all contain the original IP.

X-Real-Ip is probably the best header to use since it isn't Cloudflare specific and has the original IP set.

I found an unwanted workaround to "implement" this feature, @tobychui please have a look at my Security Advisory if you haven't already

colthouse avatar Oct 01 '25 10:10 colthouse

@colthouse I have read your security advisory, but I don't think that is consider a security issue, more like room to improve in the access control feature. (See advisory comments for more details).

But yeah, as mentioned earlier, this need to wait until someone added the "Trust IPs" feature in Zoraxy.

tobychui avatar Oct 01 '25 10:10 tobychui

https://www.cloudflare.com/ips/

You could hard code but it doesn't address the headers

taslabs-net avatar Nov 04 '25 14:11 taslabs-net