• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.4 Question about Cloudflare and IP detection

imthebest

Well-known member
#1
Hi Mike,

On a recent thread you said the following:

We record the IP that connected to the server, not the untrusted and spoofable forwarded IP. Recording the spoofable IP (only) would create a vulnerability and a trivial way to hide where you're actually connecting from.
https://xenforo.com/community/threa...chromes-data-saver-enabled.97501/#post-930873

I'm using Cloudflare and in order to make my forum able to recognize the real IPs of my members (and not those Cloudflare IPs) I have added the following on my config.php file:

Code:
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP']; }
By doing this I'm becoming vulnerable?

Thanks,
Super120
 

Mike

XenForo developer
Staff member
#2
If you trust CloudFlare to be giving you the real IP, then you're fine (and really, since you're sending all content through CloudFlare, you better be trusting them).

Technically, the full caveat is that you should only be looking at that header if the user is actually connecting through CloudFlare, which you would need to identify based on the IP address in REMOTE_ADDR (to confirm it's owned by CloudFlare).
 

imthebest

Well-known member
#3
So in other words as my config.php currently is then it means that anyone could make XF think that they are browsing via Cloudflare and send a fake 'real' IP address?
 

Mike

XenForo developer
Staff member
#4
Only if they aren't accessing via CloudFlare (assuming the X-CF-Connecting-IP header they send represents the real IP making the connection to them).