Hi,
I have a site which hosts a Teamspeak 3 Banner (a image that gets refreshed every minute by hundreds of people) and it’s cached to one minute with a Page Rule and my nginx config.
Now I wanted to create a forum and we noticed that we all login from the same IP which is 51.15.55.132 (Scaleway - Online S.A.S.) and that’s weird because I DO have set_real_ip_from on nginx and it worked fine.
On my DNS records I have only my web server IP which is at OVH and Cloudflare Proxy is turned on.
When you go on https://teamspeak.rs/forum/lele.php (lol for lele.php) you SHOULD see your IP but you see the IP: 51.15.55.132
If I block the IP 51.15.55.132 on my machine directly with iptables -I INPUT -s 51.15.55.132 -j DROP the site becomes completely inaccessible. (it shows the Cloudflare error that the origin server is down).
If I do a set_real_ip_from 51.15.55.132; then my IP shows up at https://teamspeak.rs/forum/lele.php which works fine BUT I don’t want a IP to sniff my data especially passwords in plain text now.
Well done my site is in a MITM attack.
Here are some follow up screenshots, info that I found from that IP:
