Non-Cloudflare IP (51.15.55.132) contacting my Origin server

Hi,

I have a site which hosts a Teamspeak 3 Banner (a image that gets refreshed every minute by hundreds of people) and it’s cached to one minute with a Page Rule and my nginx config.

Now I wanted to create a forum and we noticed that we all login from the same IP which is 51.15.55.132 (Scaleway - Online S.A.S.) and that’s weird because I DO have set_real_ip_from on nginx and it worked fine.

On my DNS records I have only my web server IP which is at OVH and Cloudflare Proxy is turned on.
When you go on https://teamspeak.rs/forum/lele.php (lol for lele.php) you SHOULD see your IP but you see the IP: 51.15.55.132

If I block the IP 51.15.55.132 on my machine directly with iptables -I INPUT -s 51.15.55.132 -j DROP the site becomes completely inaccessible. (it shows the cloudflare error that the origin server is down).

If I do a set_real_ip_from 51.15.55.132; then my IP shows up at https://teamspeak.rs/forum/lele.php which works fine BUT I don’t want a IP to sniff my data especially passwords in plain text now.

Well done my site is in a MITM attack.

Here are some follow up screenshots, info that I found from that IP:

Sorry, my mistake it was Cloudflare’s Railgun which is still weird that they let a different origin server contact your server

1 Like