Combination with Cloudflare

Hi,

If your server is properly configured it should be properly reading the IP from Cloudflare and report it correctly to PHP.

HTTP headers are not secure in any way. Anyone can just send any headers they want when they connect to the website and as a consequence they can just set a random IP each time they open your website.

I actually think it’s the exact opposite.

Cloudflare set up correctly means enabling the proxy function for DNS entries, which leads to the server receiving the requests from Cloudflare server IPs. Therefore we are not able to detect the “real” IP of the visitor.

Therefore the only way to really identify the visitor is by looking at the CF-Connecting-IP header which will always show the real IP of the user in case he came through Cloudflare. Of course usually we are able to fake HTTP headers but I’m pretty sure Cloudflare overwrites the header for stuff like CF-Connecting-IP in order to ensure that there is always a way to identify the real IP of the visitor for further processing (e.g. for security purposes).

In combination with a block of any port 80/443 connection outside of whitelisted Cloudflare IP ranges (https://www.cloudflare.com/ips/) would make the visitor have to go through Cloudflare which would then ensure that the above mentioned header is always present which would make this the most efficient way to block attacks in my opinion.

There might be a mistake in my thoughts or I forgot something but right now this is how I think it is.

In conclusion for the plugin this would mean that there should be a check if the request comes from a Cloudflare IP and if so: It should use the above mentioned header for identifying the client and potentially blocking any request from a Cloudflare IP that has the same IP in the header. If the request comes from outside the Cloudflare network, it should keep working in the same way it does now.

• This reply was modified 1 year, 9 months ago by devopa.

True but we would need to add an option for people to choose to use CF-Connecting-IP because otherwise if they are not using Cloudflare, which would make sure it’s safe, it could be used by an attacker.

I have added it to our ToDo list.

That’s why I thought that checking if the connecting IP is within the IP ranges of Cloudflare would be a good idea. If so: Apply the Cloudflare rule. If not: Business as usual.

Is there any way to restrict direct access (using server IP in local host file) to the web server and allow traffic only via Cloudflare and block all other IP’s.

If all traffic is proxied via Cloudflare, I guess you could do that through the server’s firewall like UFW if you have ssh access. But I’m not an expert so I can’t give you a step by step guide. You should be able to find how to do it on Google.