Cloudflare IPs rather than user IPs in log

Home Forums BulletProof Security Free Cloudflare IPs rather than user IPs in log

Tagged: 

This topic contains 8 replies, has 5 voices, and was last updated by  rafaelmagic 3 years, 1 month ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #6560

    Aventura
    Participant

    Hi

    In my BPS security logs it only shows cloudlfare’s IP address rather than the IP they are forwarding even though it looks (to me and I’m no expert) that it believes it is displaying the forwarded Ip too under “HTTP_X_FORWARDED_FOR”. Is there a way to fix this or is this correct behaviour and the logs cannot show the users IP? An example:

    >>>>>>>>>>> 403 GET or Other Request Error Logged - May 19, 2013 - 11:12 am <<<<<<<<<<<
    REMOTE_ADDR: 108.162.221.92
    Host Name: 108.162.221.92
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR: 108.162.221.92
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /sitemap.xml
    QUERY_STRING:
    HTTP_USER_AGENT:
    #6562

    AITpro Admin
    Keymaster

    To tell you the truth I am not really sure what cloudflare does exactly.  I am aware that any CDN service changes your DNS information in a way that you can never find out your true DNS info anymore, which makes things very difficult to troubleshoot, but that is just one of the minor downsides to using cloud services.

    The error looks suspicious.  Any respectable request is going to have a valid User Agent.  The User Agent is blank in this error/request.  That usually indicates either a spammer or a hacker is doing something – scraping, probing, sniffing, recon, etc etc etc.

    You can just ignore this.

    #6569

    Aventura
    Participant

    Well I don’t know how it does it but it does pass the real IP address along via “HTTP_CF_CONNECTING_IP” but I think its possible to get it without directly looking for that as MyBB has a “scrutinise user’s IP address” setting which looks for: HTTP_X_FORWARDED_FOR or HTTP_X_REAL_IP headers.

    #6572

    AITpro Admin
    Keymaster

    I believe this is something that you would not be able to control or change on your end since HTTP_X_FORWARDED_FOR is coming from an external source – your CDN.  check with the cloudflare folks and see what they have to say.  I am not that familiar with what cloud services do.

    #6584

    John – CloudFlare
    Participant

    I work at CloudFlare.

    We operate as a global reverse proxy providing security and acceleration for websites using CloudFlare. The public IP addresses are in CloudFlare’s IP space http://www.cloudflare.com/ips and we connect back to your server(s) from within those same ranges.

    We include the original visitor IP address in the header of every request we pass back.

    Details: https://support.cloudflare.com/entries/22055137-why-do-my-server-logs-show-cloudflare-s-ips-using-cloudflare

    List of methods for getting original visitor IP: https://support.cloudflare.com/forums/21318827-how-do-i-restore-original-visitor-ip-to-my-server-logs

    As long as the BPS plugin can “see” the original visitor IPs, this shouldn’t be a problem.

    John Roberts / CloudFlare

    #6585

    AITpro Admin
    Keymaster

    Thanks for the links/info John.  One of these days when I have the spare time I will give Cloudflare a test drive.  Looks Cool!  And yep, BPS is logging $_SERVER variables so whatever is sent in the Request is what is logged.

    Correction:  What I said about getting the original DNS info after being sent through Cloudflare Servers is not clear and actually sounds like a negative statement.  Obviously since content is stored on the Cloudflare Servers then the IP Address MUST be a Cloud Server’s IP address (or Proxy IP) since this would not work any other way of course.  We were doing something with DNS a while back, but abandoned that approach and are now using a different approach since Cloud services are the future.

    #20592

    Rhodri
    Participant

    Any updates on resolving actual IPs instead of Cloudflare IPs / Hostnames? This is a big deal for us. Appreciate any help possible.

    #20597

    AITpro Admin
    Keymaster

    What exactly is the question you are asking?  Is there a problem occurring?  If so, what is the problem?  Does the question have to do with the BPS Pro Plugin Firewall?  Do you want to know how to add (whitelist) additional IP addresses (cloudflare, etc) in the BPS Pro Plugin Firewall?

    #21413

    rafaelmagic
    Participant

    @Rhodori,

    some people place XForwarded For code in their WP-Config. google and you should find some sample. Test them and see which one works. if you have root access you can also install rmodpaf to get the XForwarded or Real Ip. Depends on your Apache version. Also you could prepend a Php file with XForwarded commands to all your Php scripts. But that requires root access too. Also Google adding XForwarded code to your child theme function.php. Off the top of my head that covers a few ways.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.