Cloudflare and their new SSL for free users

DennisSkov · Sep 30, 2014

@Xon, that made no sense to me at all. I'm not very technical. Could you try to explain it so that a newbie like me understands it?

Xon · Sep 30, 2014

DennisSkov said:
@Xon, that made no sense to me at all. I'm not very technical. Could you try to explain it so that a newbie like me understands it?

You must validate who is sending the "real ip" header. If it is Cloudflare or a http aware loadbalancer, Great!

If it's a spammer saying they are coming from <you server ip here>, and you accept that; not so great.

DennisSkov · Sep 30, 2014

That made a little more sense, but I wouldn't know how to secure that that won't happen...

Brent W · Oct 1, 2014

I created this thread on @eva2000 website to help document what needs to happen for XenForo + Nginx + Cloudflare Flexible SSL (and eventually strict)

https://community.centminmod.com/threads/cloudflare-flexible-ssl-nginx-xenforo.1541/

Brent W · Oct 2, 2014

FYI @eva2000 replied with this:

The Nginx http to https redirect is same as mentioned at Nginx HTTPS / SSL Google SPDY configuration

Code (Text):
server {
server_name domain.com www.domain.com;
return 301 https://$server_name$request_uri;
}

As to seeing the real ip, really depends on whether Xenforo is the only web app on the server as that Xenforo work around at How do I restore original visitor IP with XenForo? – CloudFlare Support would only take care of Xenforo. If you have other web apps on same server under same Cloudflare protected domain, those web apps won't see the real ip. And yes as per Cloudflare and their new SSL for free users | XenForo Community it's isn't a good solution
For all web apps under same Cloudflare protected domain to see the real IP, you don't need to do Xenforo workaround at How do I restore original visitor IP with XenForo? – CloudFlare Support but instead do what is listed at Nginx Cloudflare, Incapsula & PageSpeed Service Configuration (reverse proxy HttpRealIpModule) which is actually Cloudflare's recommended method as outlined at Does CloudFlare have an IP module for Nginx? – CloudFlare Support

Floren · Oct 3, 2014

Xon said:
That will allow any visitor bypassing CloudFlare to set the sender IP and requires that CloudFlare is replacing that header and not adding it.

You must validate that the upstream IP matches a CloudFlare IP before you accept that header: https://support.cloudflare.com/hc/e...6-Does-CloudFlare-have-an-IP-module-for-Nginx-

Why use CF-Connecting-IP? It does not make sense. Not to mention that they always change the IP addresses...

Xon · Oct 3, 2014

Floren said:
Why use CF-Connecting-IP? It does not make sense. Not to mention that they always change the IP addresses...

The CF-Connecting-IP header is how CloudFlare passes in the original IP before they proxy the connection. The list of IP addresses is who is allowed to send it, and it's up to the website owner to keep that list up-to-date (but it hasn't changed for a while).

rdn · Oct 6, 2014

Fixed most of the issues

Pinoy Internet and Technology Forums now serve by Cloudflare Free Plan using Full SSL.
Already added some white list on csf.allow and csf.ignore, real ip forwarding on nginx.conf.

Cloudflare and their new SSL for free users

DennisSkov

Active member

Xon

Well-known member

DennisSkov

Active member

Brent W

Well-known member

Brent W

Well-known member

Floren

Well-known member

Xon

Well-known member

rdn

Well-known member

Similar threads

We value your privacy