When using Cloudflare to manage your site, you may notice that if you check the ip address of the request, it will be an ip address from Cloudflare. This is happening because Cloudflare is proxying the request to your server. To get around this issue and get the original request ip, you need to configure trusted proxies in Laravel.
This is important because the throttle middleware checks the request ip and throttles based on ip. If all request look like they are coming from Cloudflare, this will cause issues.
One option would be to allow all but I would not recommend this.
'proxies' => '*',
Another option would be to just hardcode all Cloudflare’s ip address. But what if they change?
'proxies' => [
'103.21.244.0/22',
'103.22.200.0/22',
'103.31.4.0/22',
'104.16.0.0/12',
'108.162.192.0/18',
'131.0.72.0/22',
'141.101.64.0/18',
'162.158.0.0/15',
'172.64.0.0/13',
'173.245.48.0/20',
'188.114.96.0/20',
'190.93.240.0/20',
'197.234.240.0/22',
'198.41.128.0/17'],
The best option would be for the range of ip address to auto-update if they change. Fortunately, a great package exists that does just that.
Install the package and make sure you have the reload command set to run daily to ensure the range of ip address are up to date.
$schedule->command('cloudflare:reload')->daily();
Be sure to check out the great article covering trusted proxies on Laravel News.
Thanks for reading. Make sure you follow me on Twitter to stay up to date on the progress of my side projects T.LY, Weather Extension, and Link Shortener Extension. If you are interested in the tech I use daily, check out my uses page.
I don’t think any of this is true…. if you use the IP helper it will use the forwarded IP that Cloudflate provides giving you the original IP not the Cloudflare IP.
Thanks for your feedback. Laravel will not trust the forwarded ip header unless you have the IP address set as a trusted proxy. Read more about it here: https://laravel-news.com/trusted-proxy
Wouldnt be easier and much safer if you use Cloudflare Zone Lockdown,
“”Lockdown a specific URL on your zone to specific IP addresses. This is useful to protect an admin or protected area from non-specified IP addresses.””
I kn ow it is a paid service, but for what you from Cloudflare I think it is worth it.
In my case I want to be able to rate limit an api. I think what you are talking about is more for restricting access for admin panels etc.
Thanks! Nice and simple!
Well, since we know our app is behind Cloudflare, I came with this simpler solution:
add a variable in .env file:
APP_BEHIND_CLOUDFLARE=true
in config/app.php:
‘behind_cloudflare’ => env(‘APP_BEHIND_CLOUDFLARE’, false),
in app\Http\Middleware\TrustProxies.php add constructor:
public function __construct(Repository $config)
{
parent::__construct($config);
if (config(‘app.behind_cloudflare’)) {
$this->proxies = ‘*’;
}
}
I think this solution is simpler. If you don’t use Cloudflare anymore just disable it in .env file and done.
What do you think about such an approach?
That will work but I think you are allowing all ips not just cloudflare. Potential less secure
If it’s a public app what is the downside to allowing all IPs?
You don’t want to trust the x-fowarded header except for specific ips. This is to protect yourself against malicious users spoofing the header.