How do you avoid your server IP to be leaked using Cloudflare?

fionix

fionix

Well-known member
We have spent several days trying to prevent the server’s real IP from being exposed when XenForo makes outbound connections. When we ask XenForo Support or Cloudflare, the response is simply, "Ask your host to set up a reverse proxy."

It’s not a problem to hide the original IP address using Cloudflare’s default settings, but this only applies to inbound traffic.

If someone is technically skilled, they can manipulate the URL of any XenForo forum and retrieve the original server IP directly in their own server logs. With this IP, it becomes easy to initiate a low-cost DDoS attack on the forum.

The question is, are people aware of this, or do they assume they are fully protected just because they use Cloudflare?

And are there any hosting providers specialized in XenForo hosting that can set up a reverse proxy/VPN for both directions so that the original server IP is never exposed?
 
Use xenforos built in proxy system using a third party vps running tiny proxy and also use a third party mail server that does not leak the mail server header . Disable remote URL retrieval for further protection.
 
A reverse proxy can't be used for outbound connections, you need a forward proxy (Squid, TinyProxy, etc) to do this.

XenForo has config.php options to configure a proxy.
If you have access to a proxy just configure that and this should cover outbound connections except SMTP (and maybe Add-ons that don't follow resource standards).

If you can't use a proxy:
[DigitalPoint] App for Cloudflare® digitalpoint

[DigitalPoint] App for Cloudflare®

Configure and manage your Cloudflare account from within XenForo.

For SMTP make sure to use a service provider that hides the client IP.

Configure your firewall to only accept incoming traffic from whitelisted IPs (Cloudflare Edge, your own IP, etc.).

fionix said:
do they assume they are fully protected just because they use Cloudflare?
Click to expand...
IMHO the vast majority unfortunately just believes this.
 
Kirby said:
A reverse proxy can't be used for outbound connections, you need a forward proxy (Squid, TinyProxy, etc) to do this.

XenForo has config.php options to configure a proxy.
If you have access to a proxy just configure that and this should cover outbound connections except SMTP (and maybe Add-ons that don't follow resource standards).

If you can't use a proxy:
[DigitalPoint] App for Cloudflare® digitalpoint

[DigitalPoint] App for Cloudflare®

Configure and manage your Cloudflare account from within XenForo.

For SMTP make sure to use a service provider that hides the client IP.

Configure your firewall to only accept incoming traffic from whitelisted IPs (Cloudflare Edge, your own IP, etc.).


IMHO the vast majority unfortunately just believes this.
Click to expand...

I would also be sure that there are no subdomains leaking too.
 
@Kirby I don't really understand, you recommend using the DigitalPoint add-on if you can't use a proxy and then you say that CF does not protect against IP leaks.
 
This Add-on has a feature to use Cloudflare workers for image proxy and unfurl.

This does not cover all outbound HTTP connections made by XenForo (like the proxy would) but still raises the bar for an attacker to get the origin IP.
 
Everyone interested in testing what they posted here, then below is one of the methods how a user found our servers IP address:
HTTP_USER_AGENT = XenForo/2.x (OUTPUT IN SERVER LOG GOES HERE WITH THE FORUM URL)
REMOTE_ADDR = XX.X.XXX.XXX <- the servers original IP will be printed here.
Click to expand...

I did some research and NGINX should be another method, does anyone know already now if one of the above posted will work against this ?
 
fionix said:
Everyone interested in testing what they posted here, then below is one of the methods how a user found our servers IP address:


I did some research and NGINX should be another method, does anyone know already now if one of the above posted will work against this ?
Click to expand...
that doesn't reveal anything.
 
nginx is quite versatile, it can be used as forward proxy.

Though I'd probably prefer a tool that was specifically written to be a proxy instead of nginx.
 
fionix said:
Everyone interested in testing what they posted here, then below is one of the methods how a user found our servers IP address:


I did some research and NGINX should be another method, does anyone know already now if one of the above posted will work against this ?
Click to expand...

That doesn't sound right at all. Those are headers the web server sets, and are not sent out. They will show up on the web server logs for the system admin's use. Someone would have to log into the server to see those logs.
 
No, I don't want to share the trick here. but you put your own website url into a post, then you go to your own website and see from where the call comes. So you get the above message in your server logs.
 
To clarify, it's not a "trick".
It just requires checking the web server logs.

fionix said:
When we ask XenForo Support or Cloudflare, the response is simply, "Ask your host to set up a reverse proxy."
Click to expand...
I said an HTTP proxy, not a reverse proxy.
They are two different things.
 
fionix said:
No, I don't want to share the trick here. but you put your own website url into a post, then you go to your own website and see from where the call comes. So you get the above message in your server logs.
Click to expand...

The people here have already said the proxy can leak the IP address, and that's already well known how to do it. There's no "trick" to it, really, and when you stated the information about headers, all you did was restate the same thing when noting the headers. However, you shared it as if it was server side logs, not client side - and that's why it sounded off.

Perhaps there's a language barrier.
 
In principle, it doesn’t really matter what was said word for word. The fact is, I don’t think many people running a Xenforo forum know this can happen, and that's why they're shocked when their forum gets hacked or bombarded with DDoS attacks when they thought Cloudflare was protecting them! Cloudflare even advertises that you’re protected.

I also think it’s pretty weak of Xenforo support to just respond with, "You’ll have to figure it out yourself, ask your host to fix it," when they likely know what can be done. They could at least provide a more detailed standard response, so novices don’t have to search around for a solution like we did before finding it.

This thread has been super helpful in fixing the problem. It really wasn’t that hard to offer a bit of support, especially when we even offered to pay for it.
 
fionix said:
it doesn’t really matter what was said word for word
Click to expand...
It really does.
They are two entirely different things.

fionix said:
I also think it’s pretty weak of Xenforo support to just respond with, "You’ll have to figure it out yourself, ask your host to fix it," when they likely know what can be done.
Click to expand...
Our support pertains to XF software only, not your hosting account, server, or CloudFlare.
 
That's fine, you can have it your way, and it's your business. I’m not interested in debating this any further. You know what’s best for your customers and how you want to present yourselves to the public.
 
fionix said:
In principle, it doesn’t really matter what was said word for word. The fact is, I don’t think many people running a Xenforo forum know this can happen, and that's why they're shocked when their forum gets hacked or bombarded with DDoS attacks when they thought Cloudflare was protecting them! Cloudflare even advertises that you’re protected.
Click to expand...
This has been covered numerous times on xenforo.com.

And covered in many other places around the Internet. It is not a new revelation, and pretty much affects all software that either sends email, or accepts user generated content with external images.

fionix said:
I also think it’s pretty weak of Xenforo support to just respond with, "You’ll have to figure it out yourself, ask your host to fix it," when they likely know what can be done. They could at least provide a more detailed standard response, so novices don’t have to search around for a solution like we did before finding it.
Click to expand...
Most novices can't handle something like this. People who can handle it, all they usually need to be told is where the IP address is being leaked (like email, unfurl and the image proxy). And how to set these up is covered in topics in the forum. :-)

As an aside, most forums will never need to do these steps because they'll never attract a DDOS attack and if they use a service like Cloudflare they still get a lot of benefits (like bot blockling). I'm not saying it's not a good idea to implement these measures.

fionix said:
This thread has been super helpful in fixing the problem. It really wasn’t that hard to offer a bit of support, especially when we even offered to pay for it.
Click to expand...

Did you read the replies about the proxy, the Digital Point add-on doing the heavy lifting if you don't want to set that up, and email? Those were the correct answers. The very fact you're getting upset, makes me wonder if you want to take the leads to solutions people gave?

  • When we say it can be leaked via email, we can't detail setup for every single possible external email service. Its beyond the scope of a support thread.
  • When we say use a proxy, and that Xenforo's config files can handle it, it's also beyond the scope of this thread to detail how to setup a reverse proxy, when there are many methods and guides for this.
 
MySiteGuy said:
And covered in many other places around the Internet. It is not a new revelation, and pretty much affects all software that [...] accepts user generated content with external images.
Click to expand...
Hmm ... no.
If a software just accepts user generated content containing external images but does not proxy them it would not leak the origin IP.

Did you read the replies about the proxy, the Digital Point add-on doing the heavy lifting
Click to expand...
The Add-on does not cover all outgoing connections, just the two most common ones (image proxy and unfurl).
With enough effort an attacket probably could find other ways to trigger outgoing connections that would leak the origin IP (like RSS feed reader, push notifications, ...).
So for a somewhat waterproof approach that is no way to not use a proxy (or disable / do not use features that trigger outgoing connections to user provided endpoints).

MySiteGuy said:
it's also beyond the scope of this thread to detail how to setup a reverse proxy,
Click to expand...
;)
 
fionix said:
In principle, it doesn’t really matter what was said word for word. The fact is, I don’t think many people running a Xenforo forum know this can happen, and that's why they're shocked when their forum gets hacked or bombarded with DDoS attacks when they thought Cloudflare was protecting them! Cloudflare even advertises that you’re protected.

I also think it’s pretty weak of Xenforo support to just respond with, "You’ll have to figure it out yourself, ask your host to fix it," when they likely know what can be done. They could at least provide a more detailed standard response, so novices don’t have to search around for a solution like we did before finding it.

This thread has been super helpful in fixing the problem. It really wasn’t that hard to offer a bit of support, especially when we even offered to pay for it.
Click to expand...
I think you're just over complicating things. Give me your website URL (pm) and I will find your source IP and all methods used. Any remote IP logger will reveal the website source ip as well. I'm having issues though with this method to get 2.3 link proxy working correctly: https://xenforo.com/community/threads/link-proxy.225645/
 
You must log in or register to reply here.
Back
Top Bottom