IP address access restriction does not work when using Cloudflare Proxy

  • Resolved sergeyf1

    (@sergeyf1)


    3 weeks, 1 day ago

    Hello,

    I started using Cloudflare to further protect my site, and discovered a problem with your plugin.

    The IP addresses setting in your plugin in the “Unrestricted IP addresses” section – doesn’t work correctly. Namely – even with “white” IP addresses added in the settings (from which I want to have access to the site) I can not get access to the front-end of the site. I can access the admin panel, but not the front-end. The standard message about site access restriction configured in your plugin appears.

    I believe that this problem is directly related to the fact that Cloudflare DNS Proxy is active, as a result of which IP addresses configured in the plugin will not work anyway, because the site is behind the Cloudflare Proxy server.

    Is there a solution to this problem?
    How can this be fixed?
    Is your plugin compatible with a configuration that includes an active Cloudflare DNS Proxy?

    I will be grateful for the answer and help.
    Thank you!

    PHP 7.4.33
    Apache
    WordPress 6.5.5

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support Darin Kotter

    (@dkotter)

    @sergeyf1 Thanks for the question! This is a known limitation and does require additional configuration for this to work. When a site is behind something like Cloudflare, the IP addresses we look at won’t be accurate. We used to try and support this in the plugin but unfortunately this can lead to security issues with spoofing of HTTP Headers (can see https://github.com/10up/restricted-site-access/issues/195 for some of those details).

    Because of that, we removed that feature in order to be more secure. That functionality still exists though and can be manually turned on through the use of a few filters. See our README for full details.

    In short, you’ll need to use the rsa_trusted_headers filter to add whatever header your CDN uses to pass in the client IP address (I believe that is HTTP_CF_CONNECTING_IP for Cloudflare). For additional security hardening, you can also use the rsa_trusted_proxies filter to set the IP addresses your proxy uses, which allows us to only trust those additional headers if a request is coming straight from the proxy (eliminating any risk of spoofing).

    Thread Starter sergeyf1

    (@sergeyf1)

    Hi Darin (@dkotter),

    Thank you for your detailed and clear answer.
    Problem solved.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.