Does this work alongside Cloudflare

  • Resolved amezianebelkessam

    (@amezianebelkessam)


    3 years, 8 months ago

    This plugin sounds awesome! We are running a large wooommerce site and dealing with bad bots all the time (specifically targeting add-to-cart urls). We are running cloudflare and our apache server logs (for example) show cloudflare’s ip address as the client address for all requests. My question is, does this plugin take that into account and retrieve the connecting IP address or X-Forwarded-For IP address from cloudfare?

    Site traffic is being resolved through a reverse proxy (Cloudflare) and my worry is that if a bot falls into your trap (absolutely genius btw) the plugin would block that IP address and therefore other legitimate traffic cloudflare is sending through the same proxied IP. Is this something your PRO plugin resolves? We have no probelm purchasing it if it’s not an issue there.

    Thank you in advance for your advice/insight.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Jeff Starr

    (@specialk)

    3 years, 8 months ago

    The plugin puts REMOTE_ADDR as the first thing to check for IP addresses. It also provides a filter hook named blackhole_ip_keys so you can change that to whatever you want. It is located in /inc/blackhole-ip.php in the free version.

    IMPORTANT: Only change the order of the IP keys if you are 100% sure you know what you are doing and is necessary (like behind a proxy server, etc.). Otherwise you may open yourself up to possible IP address spoofing, which would prevent Blackhole from blocking the correct IP address.

    I hope this helps, let me know if I can provide any further infos.

    Thread Starter amezianebelkessam

    (@amezianebelkessam)

    3 years, 8 months ago

    Ok I am comfortable with reordering the script so that ‘HTTP_X_FORWARDED_FOR’ is the first IP checked. Do I also need to remove REMOTE_ADDR or just move it down the list?

    Thread Starter amezianebelkessam

    (@amezianebelkessam)

    3 years, 8 months ago

    Sorry I should add to my thinking, the reason I am asking is does the plugin take into account the remote_add still even if its deprioritized? If so should I just remove it. The goal is to not have this plugin blocking CloudFlare IPs.

    Plugin Author Jeff Starr

    (@specialk)

    3 years, 8 months ago

    Just moving it further down the list is what others have done. If you examine the code you’ll find that the plugin uses the first IP address that is matched in the array. So if REMOTE ADDR is first, that will be checked and used first. Likewise if you change the order. If you do make any changes, remember to test well. And also make sure to read the documentation for important notes, etc. (if you have not already done so).

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Does this work alongside Cloudflare’ is closed to new replies.