Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

get_client_ip_address detects Server IP if on Cloudflare #109

Closed
eightam opened this issue Jan 18, 2020 · 2 comments · Fixed by #110
Closed

get_client_ip_address detects Server IP if on Cloudflare #109

eightam opened this issue Jan 18, 2020 · 2 comments · Fixed by #110
Assignees
@eightam
Labels
type:bug Something isn’t working.
Milestone
7.3.0

Comments

@eightam
Copy link
Contributor

eightam commented Jan 18, 2020

Describe the bug
If the website is served through Cloudflare DNS, all the headers listed in get_client_ip_address() are filled with the server IP address. Then the plugin doesn't work and is actually a "security risk" for inexperienced users (for example if the "Add My Current IP Address" button is clicked in the settings, the servers IP address is added which leads to a fully accessible site for any IP, as get_client_ip_address() always returns the server IP).

Cloudflare fills in the clients address into an extra header HTTP_CF_CONNECTING_IP. The solution is to add this to the list of queried headers:

$headers = array(
			'HTTP_CF_CONNECTING_IP',
			'HTTP_CLIENT_IP',
			'HTTP_X_FORWARDED_FOR',
			'HTTP_X_FORWARDED',
			'HTTP_X_CLUSTER_CLIENT_IP',
			'HTTP_FORWARDED_FOR',
			'HTTP_FORWARDED',
			'REMOTE_ADDR',
		);

Steps to Reproduce

  1. Use Cloudflare as DNS
  2. Click on 'Add My Current IP Address'

Expected behavior
get_client_ip_address() should return the real client address if Cloudflare is active.

Environment information
Wordpress 5.3.2 through Cloudflare
@eightam eightam added the type:bug Something isn’t working. label Jan 18, 2020
@jeffpaul jeffpaul added this to the 7.3.0 milestone Jan 22, 2020
@jeffpaul
Copy link
Member

Welcome to Restricted Site Access and thanks for the feedback and potential solution @eightam! If you're able to work up a PR to resolve this, then I'd gladly get that through review and into the next milestoned release.

@eightam eightam mentioned this issue Jan 23, 2020
Merged
6 tasks
@dsXLII dsXLII mentioned this issue Feb 21, 2020
Merged
6 tasks
@jeffpaul jeffpaul modified the milestones: 7.3.0, 7.4.0 Aug 16, 2021
@jeffpaul jeffpaul linked a pull request Oct 12, 2021 that will close this issue
Adding Cloudflare IP detection compatibility #110
Merged
6 tasks
@jeffpaul jeffpaul modified the milestones: 7.4.0, 7.3.0 Oct 12, 2021
@jeffpaul jeffpaul moved this from To Do to Merged in Open Source Practice Oct 12, 2021
@jeffpaul jeffpaul moved this to To Do in Open Source Practice Oct 12, 2021
@jeffpaul
Copy link
Member

Merged in via #110.

@jeffpaul jeffpaul moved this from Merged to Done/Released in Open Source Practice Feb 23, 2022
@dkotter dkotter mentioned this issue May 9, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eightam eightam

Labels
type:bug Something isn’t working.
Projects
Open Source Practice
Archived in project
Milestone
7.3.0
Development

Successfully merging a pull request may close this issue.

Adding Cloudflare IP detection compatibility eightam/restricted-site-access
2 participants
@eightam @jeffpaul