Open SloCompTech opened 3 years ago
I'm loooking at #47, and there this could be easly changed.
Ive also found this to be an issue. Had to turn off cloudflare proxy until this is resolved
Looked into pending pull requests and #47 is possible solution for this.
This may have been a transient problem with Cloudflare and/or the OP's environment; Cloudflare are indeed sending X-Forwarded-For
per the standard form:
X-Forwarded-For: <client>, <proxy1>, <proxy2>
ref. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
You can verify this yourself by:
Cloudflare seems to use true-client-ip
header for the IP. What about adding an optional parameter to pick a header that would be prioritized when reading IP?
Cloudflare state in their docs https://developers.cloudflare.com/fundamentals/get-started/http-request-headers:
There is no difference between the True-Client-IP and CF-Connecting-IP headers besides the name of the header.
and further that True-Client-IP
is only available for traffic on their Enterprise plan.
i.e. CF-Connecting-IP
should be used when using Cloudflare.
I would expect any prioritised list of headers would be a major problem: if you happen to not be using one of the lesser priority proxy headers then a malicious user can simple send along a higher priority header with any value they choose. Cloudflare warn of this issue in the above doc (in the section on True-Client-IP
).
Has this been resolved? Looking at the library and using cloudflare
I ran into the same issue a day ago, but luckily i forked and adjusted the code long time ago.
You can try it out... https://github.com/Chheung/request-ip
Usage:
app.use(requestIp.mw(), {
prioritize: ['cf-connecting-ip'],
});
What it does is reordering header check in https://github.com/pbojinov/request-ip#how-it-works
Related issue: #75
Any news on this one? Has this been resolved?
Hi, I'm getting proxy IP instead of client IP, when I have app proxied via CloudFlare. Cloudflare docs we shoud look in
CF-Connecting-IP
, because value ofX-Forwarded-For
is same asCF-Connecting-IP
only if previous not set (in my example is set with proxy IP). Now I'm getting only proxy IP inX-Forwarded-For
.Example headers I get: