How do you avoid your server IP to be leaked using Cloudflare?

Kirby said:
Hmm ... no.
If a software just accepts user generated content containing external images but does not proxy them it would not leak the origin IP.
Click to expand...
Yes, I know this. Just missed it my overall reply.
Kirby said:
The Add-on does not cover all outgoing connections, just the two most common ones (image proxy and unfurl).
With enough effort an attacket probably could find other ways to trigger outgoing connections that would leak the origin IP (like RSS feed reader, push notifications, ...).
Click to expand...
Yes, I know this, and the person who brought it up said it doesn't cover email.

It seems you want to find fault in every answer, so my parting comment is: Good luck.
 
Tried to obtain the ip, all seems safe. Header masks ip (127.0...). No remote embedding of URLS (no logging) and no sub domain leaks on the surface.
 
While I haven't done it with xenforo as I'm in the process of migrating from IPS -> xenforo. We use AWS and cloudflare so we block all connections to our forum server except from cloudflare servers, which requires users to go through cloudflare and not hit our ip's directly.
 
MentaL said:
Use xenforos built in proxy system using a third party vps running tiny proxy and also use a third party mail server that does not leak the mail server header . Disable remote URL retrieval for further protection.
Click to expand...
You also need to disable post previews in the post editor or I can get the server IP with Wireshark.
 
fionix said:
In principle, it doesn’t really matter what was said word for word. The fact is, I don’t think many people running a Xenforo forum know this can happen, and that's why they're shocked when their forum gets hacked or bombarded with DDoS attacks when they thought Cloudflare was protecting them! Cloudflare even advertises that you’re protected.

I also think it’s pretty weak of Xenforo support to just respond with, "You’ll have to figure it out yourself, ask your host to fix it," when they likely know what can be done. They could at least provide a more detailed standard response, so novices don’t have to search around for a solution like we did before finding it.

This thread has been super helpful in fixing the problem. It really wasn’t that hard to offer a bit of support, especially when we even offered to pay for it.
Click to expand...

XenForo are software developers. They build software that you then self-host. Their responsibility stops at the software and your hosting setup is your responsibility.

Obviously if you are running on XenForo Cloud, then it is in their own best interest to provide support to prevent DDoS attacks on their infrastructure - but self hosting is all on you.

It's pretty trivial these days to set up a website - pretty much anyone with a little bit of technical understanding can do it.

However, it's very much non-trivial to host a site that is robust and hardened against all forms of attacks and intrusions - there is a reason why security experts get paid a lot of money - it becomes very complicated very quickly and requires detailed knowledge how how things actually work.

The XenForo software gives you all the tools you need to be able to manage this - it's up to you to implement it though and they really can't give you instructions beyond "set up a proxy" because exactly how you do that will depend on many different factors that are specific to you.

The simple fact is that the vast majority of their thousand and thousands of clients never have a need to do this - Cloudflare is good enough to stop spambot and unsophisticated DDoS attacks.

It's only if you are being targeted by malicious actors who know what they are doing that you're going to need a more sophisticated setup - and
you will need actual expertise and in-depth knowledge of how everything works to effectively mitigate it.

At the end of the day though, this is purely an administrative/hosting issue and well beyond the scope of what XenForo are responsible for - they've given you the tools - it's up to you to work out how to use them for your specific setup.

To expect that your US$195 license fee will give you unlimited support for all of your hosting/administrative needs is pretty unreasonable. Try engaging a security expert to harden your site against DDoS attacks and see how far you get for US$195?
 
As a general point about preventing IP leakage - you should also be very careful about the addons you use on your site, particularly if they make any kind of external calls.

All addons should use the built-in HTTP client provided by the XenForo core - which then allows outgoing calls to be proxied if configured for your site. However, some badly written addons that don't adhere to the Resource standards (see point 27) might make external calls directly, which could conceivably cause IP leakage - although much more difficult to exploit compared to what you can do with user generated content.
 
Test
rdn said:
Interesting, I can only see my own IP with this request :|
Click to expand...
Using a certain third party IP logging website link in the preview will give it and pass it to wireshark. This doesn't use the image proxy either.

IMG_20250307_075308.webp
IMG_20250307_075559.webp
 
Last edited:
Jeremy P said:
Those requests are passed through the image proxy to your configured HTTP proxy. If you're seeing your server IP then it's because you haven't actually configured an HTTP proxy: https://xenforo.com/docs/xf2/config/#http-client-settings
Click to expand...
That may be the case, I don't bother with proxy I have 3.5tbit+ DDoS protection on all my IP's, for $3 a month. No one has ever taken us down, and man do they try. Goes with the territory with what our forum does. Ukraine was a recent challenge.
 
Last edited:
D.O.A. said:
That may be the case, I don't bother with proxy I have 3.5tbit+ DDoS protection on all my IP's, for $3 a month. No one has ever taken us down, and man do they try. Goes with the territory with what our forum does. Ukraine was a recent challenge.
Click to expand...
How about at application level, layer 7.
 
Sim said:
XenForo are software developers. They build software that you then self-host. Their responsibility stops at the software and your hosting setup is your responsibility.

Obviously if you are running on XenForo Cloud, then it is in their own best interest to provide support to prevent DDoS attacks on their infrastructure - but self hosting is all on you.

It's pretty trivial these days to set up a website - pretty much anyone with a little bit of technical understanding can do it.

However, it's very much non-trivial to host a site that is robust and hardened against all forms of attacks and intrusions - there is a reason why security experts get paid a lot of money - it becomes very complicated very quickly and requires detailed knowledge how how things actually work.

The XenForo software gives you all the tools you need to be able to manage this - it's up to you to implement it though and they really can't give you instructions beyond "set up a proxy" because exactly how you do that will depend on many different factors that are specific to you.

The simple fact is that the vast majority of their thousand and thousands of clients never have a need to do this - Cloudflare is good enough to stop spambot and unsophisticated DDoS attacks.

It's only if you are being targeted by malicious actors who know what they are doing that you're going to need a more sophisticated setup - and
you will need actual expertise and in-depth knowledge of how everything works to effectively mitigate it.

At the end of the day though, this is purely an administrative/hosting issue and well beyond the scope of what XenForo are responsible for - they've given you the tools - it's up to you to work out how to use them for your specific setup.

To expect that your US$195 license fee will give you unlimited support for all of your hosting/administrative needs is pretty unreasonable. Try engaging a security expert to harden your site against DDoS attacks and see how far you get for US$195?
Click to expand...
I'm happy that we don't have to relay on people with sense like yours that know an answer to all what they impossibly can't know.

That said, we found a good solution, and yes, Xenforo need lot's of customizing and securing weak points on a standard installation.
 
Kirby said:
A reverse proxy can't be used for outbound connections, you need a forward proxy (Squid, TinyProxy, etc) to do this.

XenForo has config.php options to configure a proxy.
If you have access to a proxy just configure that and this should cover outbound connections except SMTP (and maybe Add-ons that don't follow resource standards).

If you can't use a proxy:
[DigitalPoint] App for Cloudflare® digitalpoint

[DigitalPoint] App for Cloudflare®

Configure and manage your Cloudflare account from within XenForo.

For SMTP make sure to use a service provider that hides the client IP.

Configure your firewall to only accept incoming traffic from whitelisted IPs (Cloudflare Edge, your own IP, etc.).


IMHO the vast majority unfortunately just believes this.
Click to expand...
I would also like to add onto this:

  1. Protect your web server(s) with Cloudflare, or HAProxy+NGINX (your own alternative).. when you setup this, however, make sure that your protected web instances have proper firewall rules/routing configured in a way that ONLY the access to 80/443 or whatever port..... it's only routable or accessible through the reverse proxy. Like your own specific HAProxy/NGINX stack IPs, or Cloudflare IPs. As of time of current post this is for Cloudflare:
    1. https://www.cloudflare.com/ips/
      1. IPv4 https://www.cloudflare.com/ips-v4/#
      2. IPv6 https://www.cloudflare.com/ips-v6/#
      3. If you are unsure what to do with these IP addresses, copy them into an LLM like
      4. Here is one AI example to make your life easier - https://poe.com/s/p0h7zImjhKOJxPxiP3dJ
  2. Protecting your outbound email can be done a handful of ways
    1. Use something highly affordable and trustworthy such as Amazon's SES - https://aws.amazon.com/ses/ as this should mask your origin IP. May also have to filter headers outgoing which can be done too like this
      1. Bash: 
        mail.add_x_header = Off
expose_php = Off
    2. Postfix can also be used on another VPS, where you setup configs to filter the origin IP headers. Just need to modify your header checks with it like this
      1. Bash: 
        /^X-PHP-Originating-Script:/ IGNORE
/^Received:/                 IGNORE
/^Message-Id:/               IGNORE
    3. I agree a forward proxy is an ideal option, Squid can easily be setup/configured in a container which could be a nice option for some people that understand containers - https://hub.docker.com/r/ubuntu/squid
 
You must log in or register to reply here.
Back
Top Bottom