1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.4 Question about Cloudflare and IP detection

Discussion in 'XenForo Questions and Support' started by imthebest, May 17, 2015.

  1. imthebest

    imthebest Formerly Super120

    Hi Mike,

    On a recent thread you said the following:


    I'm using Cloudflare and in order to make my forum able to recognize the real IPs of my members (and not those Cloudflare IPs) I have added the following on my config.php file:

    By doing this I'm becoming vulnerable?

  2. Mike

    Mike XenForo Developer Staff Member

    If you trust CloudFlare to be giving you the real IP, then you're fine (and really, since you're sending all content through CloudFlare, you better be trusting them).

    Technically, the full caveat is that you should only be looking at that header if the user is actually connecting through CloudFlare, which you would need to identify based on the IP address in REMOTE_ADDR (to confirm it's owned by CloudFlare).
  3. imthebest

    imthebest Formerly Super120

    So in other words as my config.php currently is then it means that anyone could make XF think that they are browsing via Cloudflare and send a fake 'real' IP address?
  4. Mike

    Mike XenForo Developer Staff Member

    Only if they aren't accessing via CloudFlare (assuming the X-CF-Connecting-IP header they send represents the real IP making the connection to them).

Share This Page