mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-13 19:54:13 -05:00
[GH-ISSUE #341] How to set real ip header to CF-Connecting-IP for cloudflare proxy. #3343
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @jbarozi-psl on GitHub (Mar 16, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/341
I have enabled the cloudflare proxy on the domain side but need a way to set the real ip header to CF-Connection-IP. I do not see a way to set this correctly.
I need this to enable rules on some applications i have behind pangolin.
@CooperFLe commented on GitHub (Mar 17, 2025):
You should be able to achieve this using traefik plugins. There are numerous for CF proxies. Here is just one example
https://plugins.traefik.io/plugins/62e97498e2bf06d4675b9443/real-ip-from-cloudflare-proxy-tunnel
@miloschwartz commented on GitHub (Mar 17, 2025):
Hey, we've been aware of the special header that CF sets with the original client's IP. This partly from a lack of understanding on our end, but wouldn't this header be able to be spoofed? Someone could send a different IP as the header to bypass a restriction. Let me know what you think.
@CooperFLe commented on GitHub (Mar 17, 2025):
The client isn't setting the header. It is coming from the middleware, so if the client sets it, the middleware should overwrite it. However, that depends on the implementation of the middleware.
@notmeta commented on GitHub (Apr 8, 2025):
Cloudflare publishes their IPs which you can use to verify the request came from CF and whether or not to trust the header: https://www.cloudflare.com/ips/
@gitmotion commented on GitHub (May 12, 2025):
any luck with this? i set up this plugin and used it on the traefik config but can't seem to get the ip rules working on pangolin.
it's not the biggest deal since im able to block via cf waf rules/etc but would be nice to see if anyone has this passing/working correctly
Edit:
@gitmotion commented on GitHub (May 13, 2025):
hey there!
just wanted to add some more findings onto here. i may be wrong but it seems like, if not using cloudflare/not parsing cf headers this is more prone to spoofing?
tldr:
pangolin can't parse cf headers = spoofable with cf workers (current state)
pangolin can parse cf headers = can block ips / cf workers (desired state)
seems like
CF-Connecting-IPwould be the authoritative truth when proxying through CFon the contrary however, i also saw that someone can use a cloudflare worker to replace x-real-ip with some caveats
2a06:98c0:3600::103looking for wordpress exploits, which means they must be using a cf worker. but in either case, being able to pass/parse theCF-Connecting-IPwould at least allow CF users to explicitly ban this per resources' ip rules within pangolinwhere as
x-forwarded-forwould have the ips appended if already seti'm sure you looked into this a lot already but in theory it seems like it should be possible to allow users to define a
CF_IP_LIST(making it the user's responsibility to keep this up-to-date) or have a setting whereCF_PROXY=trueCF-Connecting-IPinstead.from what it seems like, having the ability to check
CF-Connecting-IPis more secure than not being able to@overclockit commented on GitHub (May 16, 2025):
As I mentioned in GitHub Issue #619, Badger's current implementation handles IP validation relying solely on &req.RemoteAddr to determine client IP and whether an IP matches a rule, which when using a proxy, whether Cloudflare/Orange Cloud or other will always return the address of the proxy or service creating/forwarding the HTTP request, like a CF worker.
I have this working in my setup by using a locally edited version of Badger but any permanent fix should come with validation that trustedIPs is set and almost as importantly not wide open / set to 0.0.0.0/0. So long as trustedIPs is already set within Traefik using Cloudflare CIDR's, Badger doesn't need to revalidate the header as it is assumed trusted by Traefik's own rules.
@miloschwartz commented on GitHub (May 19, 2025):
@OverclockIT Understood this makes sense. If anyone has the capacity to open a PR to begin work on this that would be a huge help, but we want to get to this.
@Makifun commented on GitHub (Nov 24, 2025):
Any way you could share your edits? I would also like to be able to see my visitors real IPs and not the cloudflare proxy... 🥺 I tried using your fork(and your dev branch) but I was not successful(using localPlugins in Traefik).
@HiDef888 commented on GitHub (Dec 18, 2025):
https://docs.pangolin.net/self-host/advanced/cloudflare-proxy#getting-the-real-client-ip
I have been unsuccessful in getting this to work. It seems like some information is missing from the documentation or at least it could be a bit more specific.
@gael1980 commented on GitHub (Dec 19, 2025):
Same problem
@jghaanstra commented on GitHub (Dec 19, 2025):
@HiDef888 @gael1980 the issue is caused by Badger. There is a patched Badger plugin you can use to get this working properly although this solution is flawed in it's own way. Read more about it here.
https://github.com/fosrl/badger/issues/6
We need to wait for the guys from Pangolin to fix this properly by updating Badger with a more bulletproof solution.
@gael1980 commented on GitHub (Dec 19, 2025):
Thanks for your reply.
@gitmotion commented on GitHub (Dec 19, 2025):
hey all,
been keeping up with the threads about this and i totally understand and agree with the need of checking against a cloudflare ip list before accepting the
CF-Connecting-IPheader and have been pondering about this / just want to confirm:in reference to @overclockit's comment here:
cf-connecting-ipheader is not spoofable, since traefik/pangolin routes would only be accessible via cloudflare?thanks for any insight! 🙏🏻
@onno204 commented on GitHub (Dec 25, 2025):
fyi:
Badger has recently released version 1.3.0 which should support the
CF-Connecting-IPheader by default.https://github.com/fosrl/badger?tab=readme-ov-file#ip-handling-configuration
As I don't use Cloudflare I haven't tested this
@CyberSparkCloud commented on GitHub (Dec 25, 2025):
I've tested it with Cloudflare and it works perfectly now.
@gael1980 commented on GitHub (Dec 26, 2025):
Yes, I tested. It works without problems