Laravel, Cloudflare and Trusted Proxies

When using Cloudflare to manage your site, you may notice that if you check the ip address of the request, it will be an ip address from Cloudflare. This is happening because Cloudflare is proxying the request to your server. To get around this issue and get the original request ip, you need to configure trusted proxies in Laravel.

This is important because the throttle middleware checks the request ip and throttles based on ip. If all request look like they are coming from Cloudflare, this will cause issues.

One option would be to allow all but I would not recommend this.

'proxies' => '*',

Another option would be to just hardcode all Cloudflare’s ip address. But what if they change?

'proxies' => [

The best option would be for the range of ip address to auto-update if they change. Fortunately, a great package exists that does just that.

Install the package and make sure you have the reload command set to run daily to ensure the range of ip address are up to date.



Be sure to check out the great article covering trusted proxies on Laravel News.

Thanks for reading. Make sure you follow me on Twitter to stay up to date on the progress of my side projects T.LYWeather Extension, and Link Shortener Extension. If you are interested in the tech I use daily, check out my uses page.  

9 thoughts to “Laravel, Cloudflare and Trusted Proxies”

  1. I don’t think any of this is true…. if you use the IP helper it will use the forwarded IP that Cloudflate provides giving you the original IP not the Cloudflare IP.

  2. Wouldnt be easier and much safer if you use Cloudflare Zone Lockdown,
    “”Lockdown a specific URL on your zone to specific IP addresses. This is useful to protect an admin or protected area from non-specified IP addresses.””

    I kn ow it is a paid service, but for what you from Cloudflare I think it is worth it.

    1. In my case I want to be able to rate limit an api. I think what you are talking about is more for restricting access for admin panels etc.

  3. Well, since we know our app is behind Cloudflare, I came with this simpler solution:

    add a variable in .env file:

    in config/app.php:
    ‘behind_cloudflare’ => env(‘APP_BEHIND_CLOUDFLARE’, false),

    in app\Http\Middleware\TrustProxies.php add constructor:
    public function __construct(Repository $config)

    if (config(‘app.behind_cloudflare’)) {
    $this->proxies = ‘*’;

    I think this solution is simpler. If you don’t use Cloudflare anymore just disable it in .env file and done.

    What do you think about such an approach?

    1. You don’t want to trust the x-fowarded header except for specific ips. This is to protect yourself against malicious users spoofing the header.

Leave a Reply

Your email address will not be published. Required fields are marked *