nodebb shows cloudflare IP as user IP

josef

I serve nodebb using Caddy's reverse proxy, and use cloudflare's proxy service for DDOS protection, etc.
I noticed that the IP addresses that the forum displays for users are addresses that belong to cloudflare, for example 162.158.23.58, and not the real address of the user.
What can solve this? Any definition or something?
Thank you.
My Caddyfile:

myforum.ovh {
    reverse_proxy localhost:4567
}

tankerkiller125

@josef If you have the realip caddy module installed you can add:

realip {
    header "X-Forwarded-For"
    from cloudflare
    maxhops 5
}

josef

@tankerkiller125 I checked now and even without caddy, when I listen directly on port 80, the address received by nodebb is cloudflare's and not the real one.
So it's probably a setting (or bug ) at the nodebb level

josef

@baris What do you think about this?

<baris>

This should be handled at the proxy level, nodebb reads req.ip and that comes from socket address and X-Forwarded-For header see express docs

tankerkiller125

@josef as @baris noted, this is something you have to fix at the proxy (Caddy), so adding the configuration options I noted (if you have the correct module in Caddy) should solve the issue. I've been running it on my site for a little over 2 months now and everything is resolved properly.

josef

@tankerkiller125 I preferred not to install models with 40 stars on GitHub.
Finally I found an elegant and structured solution, hiding in this comment on github:

myforum.com {
    reverse_proxy localhost:4567 {
        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
    }
}

This essentially rewrites the request, and populates the X-Forwarded-For header in the value of the CF-Connecting-IP header, which is defined by cloudflare as a safe value to look at instead of X-Forwarded-For.
And it's not a hack or something problematic in performance, it's an official possibility
I think I'm protected now, am I right?

josef

I see now that caddy docs refer to a guide to configure in cloudflare to remove the X-Forwarded-For header that is received from the client (because by default if the client sent X-Forwarded-For, cloudflare will not touch it) and then to configure trusted_proxies
Is there interest in this way over what I did?

julian

However you configure it, is up to you. I have not seen any major issues with trusting the X-Forwarded-For header from CloudFlare. Sure, someone can send garbage data through, I suppose... it just means some of the values in the IP list get a little messed up but doesn't affect day-to-day operations.

A trusted proxy list is probably more secure, though, sure.

josef

@julian If you use nodebb's IP blacklist option (I do not), it does make a difference

But in any case something needs to be defined, there are 2 options:

Set a trusted proxy otherwise the forum will never know the real IP addresses, the cloudflare address will always appear, and IP addresses are a very useful thing to identify duplicate spam users, for example.
1.1 Optional - define a transform rule that will verify that the received address is real and not faked by a slightly advanced user
Add the line I brought, and thus actually refer to CF-Connecting-IP

I don't see any security advantage for trusted proxy (method 1) over the definition I brought.