Cloudflare IPs rather than user IPs in log

Home Forums BulletProof Security Free Cloudflare IPs rather than user IPs in log

Tagged: 

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • June 3, 2013 at 6:50 am #6560
    Aventura
    Participant

    Hi

    In my BPS security logs it only shows cloudlfare’s IP address rather than the IP they are forwarding even though it looks (to me and I’m no expert) that it believes it is displaying the forwarded Ip too under “HTTP_X_FORWARDED_FOR”. Is there a way to fix this or is this correct behaviour and the logs cannot show the users IP? An example:

    >>>>>>>>>>> 403 GET or Other Request Error Logged - May 19, 2013 - 11:12 am <<<<<<<<<<<
REMOTE_ADDR: 108.162.221.92
Host Name: 108.162.221.92
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR: 108.162.221.92
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /sitemap.xml
QUERY_STRING:
HTTP_USER_AGENT:
    June 3, 2013 at 7:11 am #6562
    AITpro Admin
    Keymaster

    To tell you the truth I am not really sure what cloudflare does exactly.  I am aware that any CDN service changes your DNS information in a way that you can never find out your true DNS info anymore, which makes things very difficult to troubleshoot, but that is just one of the minor downsides to using cloud services.

    The error looks suspicious.  Any respectable request is going to have a valid User Agent.  The User Agent is blank in this error/request.  That usually indicates either a spammer or a hacker is doing something – scraping, probing, sniffing, recon, etc etc etc.

    You can just ignore this.

    June 3, 2013 at 7:24 am #6569
    Aventura
    Participant

    Well I don’t know how it does it but it does pass the real IP address along via “HTTP_CF_CONNECTING_IP” but I think its possible to get it without directly looking for that as MyBB has a “scrutinise user’s IP address” setting which looks for: HTTP_X_FORWARDED_FOR or HTTP_X_REAL_IP headers.

    June 3, 2013 at 7:27 am #6572
    AITpro Admin
    Keymaster

    I believe this is something that you would not be able to control or change on your end since HTTP_X_FORWARDED_FOR is coming from an external source – your CDN.  check with the cloudflare folks and see what they have to say.  I am not that familiar with what cloud services do.

    June 3, 2013 at 10:06 am #6584
    John – CloudFlare
    Participant

    I work at CloudFlare.

    We operate as a global reverse proxy providing security and acceleration for websites using CloudFlare. The public IP addresses are in CloudFlare’s IP space http://www.cloudflare.com/ips and we connect back to your server(s) from within those same ranges.

    We include the original visitor IP address in the header of every request we pass back.

    Details: https://support.cloudflare.com/entries/22055137-why-do-my-server-logs-show-cloudflare-s-ips-using-cloudflare

    List of methods for getting original visitor IP: https://support.cloudflare.com/forums/21318827-how-do-i-restore-original-visitor-ip-to-my-server-logs

    As long as the BPS plugin can “see” the original visitor IPs, this shouldn’t be a problem.

    John Roberts / CloudFlare

    June 3, 2013 at 10:33 am #6585
    AITpro Admin
    Keymaster

    Thanks for the links/info John.  One of these days when I have the spare time I will give Cloudflare a test drive.  Looks Cool!  And yep, BPS is logging $_SERVER variables so whatever is sent in the Request is what is logged.

    Correction:  What I said about getting the original DNS info after being sent through Cloudflare Servers is not clear and actually sounds like a negative statement.  Obviously since content is stored on the Cloudflare Servers then the IP Address MUST be a Cloud Server’s IP address (or Proxy IP) since this would not work any other way of course.  We were doing something with DNS a while back, but abandoned that approach and are now using a different approach since Cloud services are the future.

    January 20, 2015 at 11:25 am #20592
    Rhodri
    Participant

    Any updates on resolving actual IPs instead of Cloudflare IPs / Hostnames? This is a big deal for us. Appreciate any help possible.

    January 20, 2015 at 11:47 am #20597
    AITpro Admin
    Keymaster

    What exactly is the question you are asking?  Is there a problem occurring?  If so, what is the problem?  Does the question have to do with the BPS Pro Plugin Firewall?  Do you want to know how to add (whitelist) additional IP addresses (cloudflare, etc) in the BPS Pro Plugin Firewall?

    March 14, 2015 at 4:40 am #21413
    rafaelmagic
    Participant

    @Rhodori,

    some people place XForwarded For code in their WP-Config. google and you should find some sample. Test them and see which one works. if you have root access you can also install rmodpaf to get the XForwarded or Real Ip. Depends on your Apache version. Also you could prepend a Php file with XForwarded commands to all your Php scripts. But that requires root access too. Also Google adding XForwarded code to your child theme function.php. Off the top of my head that covers a few ways.

  • Author
    Posts
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.