fbonalair / traefik-crowdsec-bouncer

A http service to verify request and bounce them according to decisions made by CrowdSec.
MIT License
272 stars 22 forks source link

bouncer is not detecting real IP address when server is exposed via cloudflare #22

Open dhruvinsh opened 2 years ago

dhruvinsh commented 2 years ago

Hi, I have my server pointing to Cloudflare and authelia is implemented for security purpose. Now when client access the locally hosted website they pass the crowdsec and comes to authelia for credential and then have access to the website. It perfect it works as expected. But looking at the logs, crowdsec bouncer points out that, IP was from cloudflare, where as my authelia instance do detect real ip address of client. It must be my configuration issue, but can you able to point out what I am doing wrong here?

fbonalair commented 2 years ago

Which version of the Bouncer are you using? There's a fix at version 0.3.4 that concern usage of Cloudflare. Can you try that version? Have you configured Traefik to trust CloudFlare IPs?

dhruvinsh commented 2 years ago

I am running docker latest image, so it should be upto date.

In my traefik setup for http and https entrypoints I have list of trusted IPs in forwarded header.

what I am hopping to see in the bouncer log is, if from remote country if someone makes call to my server via cloudflare proxy I would see their real IP. I have authelia setup as well and it does detect X-Real-IP without any problem.

marcuswoy commented 5 months ago

@dhruvinsh a little late, but maybe this will help. I use Cloudflare + traefik + traefik crowdsec. With this extension you will be able to get the "real IP" via Cloudflare https://github.com/Paxxs/traefik-get-real-ip

    traefik-crowdsec-bouncer:
      forwardauth:
        address: http://traefik-crowdsec-bouncer:8080/api/v1/forwardAuth
        trustForwardHeader: true

    real-ip-cf:
      plugin:
        real-ip:
          Proxy:
            - proxyHeadername: "X-From-Cdn"
              realIP: Cf-Connecting-Ip
              OverwriteXFF: true