Alternative method for using with Cloudflare + nginx?

  • Resolved menathor

    (@menathor)


    6 years, 11 months ago

    Hi guys,

    Just wondering if I can use this code snippet in my wp config file to get the plugin working with cloudflare (instead of using WP_FAIL2BAN_PROXIES)? 

    //restore original visitor IP if from Cloudflare
if ( isset( $_SERVER[‘HTTP_CF_CONNECTING_IP’] ) ){
$_SERVER[‘REMOTE_ADDR’] = $_SERVER[‘HTTP_CF_CONNECTING_IP’];
}

    I would be using this in conjunction with nginx’s set_real_ip combined with real_ip_header CF-Connecting-IP as per the instructions here: https://www.wpintense.com/2017/03/24/configuring-nginx-pass-real-ip-addresses-cloudflare-compatible-fail2ban-wordpress/

    And if this will work, would there be any performance or other downsides to this approach compared to using WP_FAIL2BAN_PROXIES?

    Thanks!

    • This topic was modified 6 years, 11 months ago by menathor.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author invisnet

    (@invisnet)

    6 years, 11 months ago

    The point of listing the proxies is to know when you can trust the X-Forwarded-For header; without that check anyone could pass in a random IP.

    I’m not an expert on nginx; what happens with that configuration if someone set the CF-Connecting-IP header in their request? If nginx clears that header then you’re fine, but if not then you can’t trust what’s in it.

    Thread Starter menathor

    (@menathor)

    6 years, 11 months ago

    Ah good point, thanks!

    I’ve have restricted port 80 and 443 in iptables to only Cloudflare’s IPs, so the only traffic that should be able to reach my server is from Cloudflare. I think that will do the same job unless I’ve missed something?

    Just to confirm before I implement it, does your plugin use $_SERVER[‘REMOTE_ADDR’] as the source for IP addresses that get banned?

    Thanks again

    • This reply was modified 6 years, 11 months ago by menathor.
    Plugin Author invisnet

    (@invisnet)

    6 years, 11 months ago

    It does use REMOTE_ADDR, but if you’ve blocked access to anything but the CF IPs, what are you expecting to gain by running fail2ban?

    Thread Starter menathor

    (@menathor)

    6 years, 11 months ago

    Thanks, will give it a shot. It’s still possible to use fail2ban to block malicious users coming in via Cloudflare by using the CF-Connecting-IP header.

    Plugin Author invisnet

    (@invisnet)

    6 years, 11 months ago

    Yes, it is, but only if you have a trickle, not a flood.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Alternative method for using with Cloudflare + nginx?’ is closed to new replies.