XF 1.4 Question about Cloudflare and IP detection

[imthebest]

Hi Mike,

On a recent thread you said the following:

We record the IP that connected to the server, not the untrusted and spoofable forwarded IP. Recording the spoofable IP (only) would create a vulnerability and a trivial way to hide where you're actually connecting from.

https://xenforo.com/community/threa...chromes-data-saver-enabled.97501/#post-930873

I'm using Cloudflare and in order to make my forum able to recognize the real IPs of my members (and not those Cloudflare IPs) I have added the following on my config.php file:

if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) { $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP']; }

By doing this I'm becoming vulnerable?

Thanks,
Super120

 

[Mike]

If you trust CloudFlare to be giving you the real IP, then you're fine (and really, since you're sending all content through CloudFlare, you better be trusting them).

Technically, the full caveat is that you should only be looking at that header if the user is actually connecting through CloudFlare, which you would need to identify based on the IP address in REMOTE_ADDR (to confirm it's owned by CloudFlare).

 

[imthebest]

So in other words as my config.php currently is then it means that anyone could make XF think that they are browsing via Cloudflare and send a fake 'real' IP address?

 

[Mike]

Only if they aren't accessing via CloudFlare (assuming the X-CF-Connecting-IP header they send represents the real IP making the connection to them).