Validate the $_SERVER[‘REMOTE_ADDR’] is actually from Cloudflare before checking the $_SERVER[‘HTTP_CF_CONNECTING_IP’];.
Here is the PHP code I use to get the visitors IP Address. It works 99.999% of the time, but there seems to be a request that is getting through every day and using Cloudflare’s IP address.
It appears to be the same user bouncing around on VPN connections, that is sometimes able to spoof his IP address as being actually Cloudflare for requests.
Is there another way to validate the CF_CONNECTING_IP or get the IP address of the user?
The IP Address that my program is showing accessing pages is ‘104.28.49.x’
Which is 1746678016 and should fall into the rules above to give me the real user’s IP address.
Here’s the users IP that is ‘getting through’ ’ 104.28.49.x’ and it does fall in the IP ranges I have listed.
I can’t understand how it’s getting passed using the Cloudflare IP Address, unless it is sending a header with CF_CONNECTING_IP: 104.28.49.x …
I have tried everything to catch this IP request in a log, my code above is simple…
Please help me understand. These requests are being used to bypass my spam detection to get my content. The user is logged into my website and 1 hour previously visiting from a VPN in Lativa… and then somehow switched to be a Cloudflare IP Address and bottled all of my content.
Reading the WARP documents now… it seems WARP means Cloudflare Workers and other services? How can I stop a rogue Cloudlare Worker from accessing my page?
Is it safe to assume that if the end ‘actual IP address’ is still a Cloudflare IP Address, it’s a ‘WARP USER’ ?
YOUR IP is 104.24.0.0/14, is inside of 104.16.0.0/12, the IP range is split strange… but it’s inside of the code I provided. I convert the IP to long.
I’m just providing Whois information, in the code I have the exact Cloudflare IP list. The IP seems to whois strange, but I assure you the PHP code has the Cloudflare list you provide. I’m going to convert them all from Long to IPs again and post it here.
I’ve fixed that to be more correct… So that can’t be the reason that the wrong IP Address is coming in…
Still a little confused, please advise if possible. How does a logged in user keep coming through Cloudflare’s IP? My last line $ip=$_SERVER[‘HTTP_CF_CONNECTING_IP’] should in theory make the IP address blank.
Bump. Do you have any suggestions on how to determine how this visitor is coming to the website with a Cloudflare IP?
Is there any documentation on WARP user? How can I connect to my website using WARP so that I can test things?
P.S. Isn’t it a huge security hole to have millions of websites simply looking for $_SERVER[‘HTTP_CF_CONNECTING_IP’]? If somebody get’s the home IP of any server on cloudflare, they can spoof that header and bypass everything most likely.
That IP is still not in the list of Cloudflare’s IP range. It is not a proxy IP. It IS the CF_CONNECTING_IP.
That is still not right.
104.24.0.0/14 includes IPs from 104.24.0.0 to 104.27.255.255
The IP is from Cloudflare’s VPN service. Like any other VPN, it hides the users real IP address.
People don’t just “get” an IP address that belongs to Cloudflare. But Cloudflare does provide additional security for this case, either with Authenticated Origin Pulls or Cloudflare Tunnels.