Laravel, Cloudflare and Trusted Proxies

When using Cloudflare to manage your site, you may notice that if you check the ip address of the request, it will be an ip address from Cloudflare. This is happening because Cloudflare is proxying the request to your server. To get around this issue and get the original request ip, you need to configure trusted proxies in Laravel.

This is important because the throttle middleware checks the request ip and throttles based on ip. If all request look like they are coming from Cloudflare, this will cause issues.

One option would be to allow all but I would not recommend this.

'proxies' => '*',

Another option would be to just hardcode all Cloudflare’s ip address. But what if they change?

'proxies' => [
'103.21.244.0/22',
'103.22.200.0/22',
'103.31.4.0/22',
'104.16.0.0/12',
'108.162.192.0/18',
'131.0.72.0/22',
'141.101.64.0/18',
'162.158.0.0/15',
'172.64.0.0/13',
'173.245.48.0/20',
'188.114.96.0/20',
'190.93.240.0/20',
'197.234.240.0/22',
'198.41.128.0/17'],

The best option would be for the range of ip address to auto-update if they change. Fortunately, a great package exists that does just that.

Install the package and make sure you have the reload command set to run daily to ensure the range of ip address are up to date.

$schedule->command('cloudflare:reload')->daily();

 

Be sure to check out the great article covering trusted proxies on Laravel News.


Also published on Medium.

4 thoughts to “Laravel, Cloudflare and Trusted Proxies”

  1. I don’t think any of this is true…. if you use the IP helper it will use the forwarded IP that Cloudflate provides giving you the original IP not the Cloudflare IP.

  2. Wouldnt be easier and much safer if you use Cloudflare Zone Lockdown,
    “”Lockdown a specific URL on your zone to specific IP addresses. This is useful to protect an admin or protected area from non-specified IP addresses.””

    I kn ow it is a paid service, but for what you from Cloudflare I think it is worth it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.