Laravel, Cloudflare and Trusted Proxies

When using Cloudflare to manage your site, you may notice that if you check the ip address of the request, it will be an ip address from Cloudflare. This is happening because Cloudflare is proxying the request to your server. To get around this issue and get the original request ip, you need to configure trusted proxies in Laravel.

This is important because the throttle middleware checks the request ip and throttles based on ip. If all request look like they are coming from Cloudflare, this will cause issues.

One option would be to allow all but I would not recommend this.

'proxies' => '*',

Another option would be to just hardcode all Cloudflare’s ip address. But what if they change?

'proxies' => [
'103.21.244.0/22',
'103.22.200.0/22',
'103.31.4.0/22',
'104.16.0.0/12',
'108.162.192.0/18',
'131.0.72.0/22',
'141.101.64.0/18',
'162.158.0.0/15',
'172.64.0.0/13',
'173.245.48.0/20',
'188.114.96.0/20',
'190.93.240.0/20',
'197.234.240.0/22',
'198.41.128.0/17'],

The best option would be for the range of ip address to auto-update if they change. Fortunately, a great package exists that does just that.

Install the package and make sure you have the reload command set to run daily to ensure the range of ip address are up to date.

$schedule->command('cloudflare:reload')->daily();

 

Be sure to check out the great article covering trusted proxies on Laravel News.


Also published on Medium.

2 thoughts to “Laravel, Cloudflare and Trusted Proxies”

  1. I don’t think any of this is true…. if you use the IP helper it will use the forwarded IP that Cloudflate provides giving you the original IP not the Cloudflare IP.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.