XF 2.2 How can check if someone can know my server's IP by linking an image from his website?
- Thread starter securedme
- Start date
MySiteGuy
Well-known member
Cloudflare is not enough.
You have to:
1. Use an external email provider.
2. Setup Xenforo's proxy settings in config.php to prevent Xenforo's image proxy and unfurling of URLs from leaking the IP address. Or use the Digital Point Cloudflare app to do this.
You have to:
1. Use an external email provider.
2. Setup Xenforo's proxy settings in config.php to prevent Xenforo's image proxy and unfurling of URLs from leaking the IP address. Or use the Digital Point Cloudflare app to do this.
securedme
Well-known member
I use amazon's ses for mail delivery. I just setup the basic as long as it could delivery my emails. It's too complicated.
I'm using Digital Point's CF app. Images and attachments are stored in R2. I haven't turned on Workers for image/unfurl proxy. Wonder if I should do so.
Is there a tool that I can test if my IP is exposed?
I'm using Digital Point's CF app. Images and attachments are stored in R2. I haven't turned on Workers for image/unfurl proxy. Wonder if I should do so.
Is there a tool that I can test if my IP is exposed?
General rule of thumb:
If an admin asks if the server IP may leak or how to test that, it is pretty much guaranteed that the IP will leak (in some way or another)
Digital Point app for Cloudflare does handle Unfurl and Image proxy, but apart from email sending there are way more features even in stock XenForo that may (Read: will if not explicitly configured to use a proxy) leak the server IP to 3rd parties:
If Add-ons are used, this list may get a lot longer and it might not even be possibble to address all possible leaks via proxy setting.
One such example would be https://xenforo.com/community/resources/signup-abuse-detection-and-blocking.6812/ which may probe TCP ports to detect bots.
If an admin asks if the server IP may leak or how to test that, it is pretty much guaranteed that the IP will leak (in some way or another)
Digital Point app for Cloudflare does handle Unfurl and Image proxy, but apart from email sending there are way more features even in stock XenForo that may (Read: will if not explicitly configured to use a proxy) leak the server IP to 3rd parties:
- Push Notifications
- E-Mail Unsubscribe & Bounce Handler
- Search Engine Sitemap Ping
- Media Embeds
- XenForo License / Update Check
- JS Minification
- Spam Checkers: StopForumSpam & Akismet
- Connected Account Providers
- Payment Providers
- Giphy Integration
- CAPTCHAs except Question & Answer
If Add-ons are used, this list may get a lot longer and it might not even be possibble to address all possible leaks via proxy setting.
One such example would be https://xenforo.com/community/resources/signup-abuse-detection-and-blocking.6812/ which may probe TCP ports to detect bots.
Last edited:
It depends entirely on your threat model and who exactly you're trying to prevent leaking the IP to. As far as I know, we proxy all cases where end-users can initiate arbitrary connections (including push notifications and media embeds), but not more generally to servers which are considered trusted (either set up by the administrator or run by a reputable provider) since the risk is much lower.
Between configuring an HTTP proxy and using an email provider which strips the IP from headers (SES), you're probably reasonably safe from leaking it to bad-faith actors (people looking to DDoS, etc).
But yes, YMMV and add-ons may introduce additional vectors.
Between configuring an HTTP proxy and using an email provider which strips the IP from headers (SES), you're probably reasonably safe from leaking it to bad-faith actors (people looking to DDoS, etc).
But yes, YMMV and add-ons may introduce additional vectors.
Depending on configuration, the server IP or at most your hosting provider's regional IP allocation can be leaked via reverse DNS lookups.
The add-on contains a proxy script for that feature, and next release the TCP port probe will be disabled by default.