mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 06:08:33 -05:00
How to set real ip header to CF-Connecting-IP for cloudflare proxy. #148
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @jbarozi-psl on GitHub (Mar 16, 2025).
I have enabled the cloudflare proxy on the domain side but need a way to set the real ip header to CF-Connection-IP. I do not see a way to set this correctly.
I need this to enable rules on some applications i have behind pangolin.
@CooperFLe commented on GitHub (Mar 17, 2025):
You should be able to achieve this using traefik plugins. There are numerous for CF proxies. Here is just one example
https://plugins.traefik.io/plugins/62e97498e2bf06d4675b9443/real-ip-from-cloudflare-proxy-tunnel
@miloschwartz commented on GitHub (Mar 17, 2025):
Hey, we've been aware of the special header that CF sets with the original client's IP. This partly from a lack of understanding on our end, but wouldn't this header be able to be spoofed? Someone could send a different IP as the header to bypass a restriction. Let me know what you think.
@CooperFLe commented on GitHub (Mar 17, 2025):
The client isn't setting the header. It is coming from the middleware, so if the client sets it, the middleware should overwrite it. However, that depends on the implementation of the middleware.
@notmeta commented on GitHub (Apr 8, 2025):
Cloudflare publishes their IPs which you can use to verify the request came from CF and whether or not to trust the header: https://www.cloudflare.com/ips/
@gitmotion commented on GitHub (May 12, 2025):
any luck with this? i set up this plugin and used it on the traefik config but can't seem to get the ip rules working on pangolin.
it's not the biggest deal since im able to block via cf waf rules/etc but would be nice to see if anyone has this passing/working correctly
Edit:
@gitmotion commented on GitHub (May 13, 2025):
hey there!
just wanted to add some more findings onto here. i may be wrong but it seems like, if not using cloudflare/not parsing cf headers this is more prone to spoofing?
tldr:
pangolin can't parse cf headers = spoofable with cf workers (current state)
pangolin can parse cf headers = can block ips / cf workers (desired state)
seems like
CF-Connecting-IPwould be the authoritative truth when proxying through CFon the contrary however, i also saw that someone can use a cloudflare worker to replace x-real-ip with some caveats
2a06:98c0:3600::103looking for wordpress exploits, which means they must be using a cf worker. but in either case, being able to pass/parse theCF-Connecting-IPwould at least allow CF users to explicitly ban this per resources' ip rules within pangolinwhere as
x-forwarded-forwould have the ips appended if already seti'm sure you looked into this a lot already but in theory it seems like it should be possible to allow users to define a
CF_IP_LIST(making it the user's responsibility to keep this up-to-date) or have a setting whereCF_PROXY=trueCF-Connecting-IPinstead.from what it seems like, having the ability to check
CF-Connecting-IPis more secure than not being able to@overclockit commented on GitHub (May 16, 2025):
As I mentioned in GitHub Issue #619, Badger's current implementation handles IP validation relying solely on &req.RemoteAddr to determine client IP and whether an IP matches a rule, which when using a proxy, whether Cloudflare/Orange Cloud or other will always return the address of the proxy or service creating/forwarding the HTTP request, like a CF worker.
I have this working in my setup by using a locally edited version of Badger but any permanent fix should come with validation that trustedIPs is set and almost as importantly not wide open / set to 0.0.0.0/0. So long as trustedIPs is already set within Traefik using Cloudflare CIDR's, Badger doesn't need to revalidate the header as it is assumed trusted by Traefik's own rules.
@miloschwartz commented on GitHub (May 19, 2025):
@OverclockIT Understood this makes sense. If anyone has the capacity to open a PR to begin work on this that would be a huge help, but we want to get to this.