Wrong IP if proxied via CloudFlare

pbojinov / request-ip

A Node.js module for retrieving a request's IP address on the server.

https://npmjs.com/package/request-ip

MIT License

823 stars 102 forks source link

Wrong IP if proxied via CloudFlare #48

Open SloCompTech opened 3 years ago

SloCompTech commented 3 years ago

Hi, I'm getting proxy IP instead of client IP, when I have app proxied via CloudFlare. Cloudflare docs we shoud look in CF-Connecting-IP, because value of X-Forwarded-For is same as CF-Connecting-IP only if previous not set (in my example is set with proxy IP). Now I'm getting only proxy IP in X-Forwarded-For.

Example headers I get:

Host: <somehost>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.5
Cdn-Loop: cloudflare
Cf-Connecting-Ip: <CLIENTIP>
Cf-Ipcountry: <someval>
Cf-Ray: <someval>
Cf-Request-Id: <someval>
Cf-Visitor: {"scheme":"https"}
Cookie: _ga=<someval>; __cfduid=<someval>
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 162.158.90.163
X-Forwarded-Host: <somehost>
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: <someval>
X-Real-Ip: 162.158.90.163

SloCompTech commented 3 years ago

I'm loooking at #47, and there this could be easly changed.

njbarrett commented 3 years ago

Ive also found this to be an issue. Had to turn off cloudflare proxy until this is resolved

SloCompTech commented 3 years ago

Looked into pending pull requests and #47 is possible solution for this.

ad8-bdl commented 2 years ago

This may have been a transient problem with Cloudflare and/or the OP's environment; Cloudflare are indeed sending X-Forwarded-For per the standard form:

X-Forwarded-For: <client>, <proxy1>, <proxy2>

ref. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

You can verify this yourself by:

creating a CNAME record on your Cf domain, pointing to httpbin.org
enable the Cf proxy for that CNAME
call https://httpbin.yourdomain.com/anything?show_env=1
observe the X-Forwarded-For header string is of the above form, e.g. "X-Forwarded-For": "a.b.c.d, 108.162.250.151" (the former is my client address, the latter is a Cf address)

alko89 commented 2 years ago

Cloudflare seems to use true-client-ip header for the IP. What about adding an optional parameter to pick a header that would be prioritized when reading IP?

ad8-bdl commented 2 years ago

Cloudflare state in their docs https://developers.cloudflare.com/fundamentals/get-started/http-request-headers:

There is no difference between the True-Client-IP and CF-Connecting-IP headers besides the name of the header.

and further that True-Client-IP is only available for traffic on their Enterprise plan.

i.e. CF-Connecting-IP should be used when using Cloudflare.

I would expect any prioritised list of headers would be a major problem: if you happen to not be using one of the lesser priority proxy headers then a malicious user can simple send along a higher priority header with any value they choose. Cloudflare warn of this issue in the above doc (in the section on True-Client-IP).

k2xl commented 2 years ago

Has this been resolved? Looking at the library and using cloudflare

Chheung commented 1 year ago

I ran into the same issue a day ago, but luckily i forked and adjusted the code long time ago.

You can try it out... https://github.com/Chheung/request-ip

Usage:

app.use(requestIp.mw(), {
  prioritize: ['cf-connecting-ip'],
});

What it does is reordering header check in https://github.com/pbojinov/request-ip#how-it-works

Related issue: #75

olivbau commented 7 months ago

Any news on this one? Has this been resolved?