I have a site which hosts a Teamspeak 3 Banner (a image that gets refreshed every minute by hundreds of people) and it’s cached to one minute with a Page Rule and my nginx config.
Now I wanted to create a forum and we noticed that we all login from the same IP which is 184.108.40.206 (Scaleway - Online S.A.S.) and that’s weird because I DO have set_real_ip_from on nginx and it worked fine.
On my DNS records I have only my web server IP which is at OVH and Cloudflare Proxy is turned on.
When you go on https://teamspeak.rs/forum/lele.php (lol for lele.php) you SHOULD see your IP but you see the IP: 220.127.116.11
If I block the IP 18.104.22.168 on my machine directly with iptables -I INPUT -s 22.214.171.124 -j DROP the site becomes completely inaccessible. (it shows the cloudflare error that the origin server is down).
If I do a set_real_ip_from 126.96.36.199; then my IP shows up at https://teamspeak.rs/forum/lele.php which works fine BUT I don’t want a IP to sniff my data especially passwords in plain text now.
Well done my site is in a MITM attack.
Here are some follow up screenshots, info that I found from that IP: