Randy Calvert Posted April 26, 2017 Posted April 26, 2017 [Summary] If you're using a CDN such as Akamai or Cloudflare, you essentially have a reverse proxy that sits in front of your web server. This is typically done to help improve the security (protection from volumetric layer 3/4 DDoS attacks and layer 7 application layer attacks and the performance of a website (caching of objects close to the end user, automatic content minification, etc.) However if you're using a CDN in front of your site, you lose visibility to the IP addresses of your community members. By default, IPS reports the source IP address, which happens to be the address of the reverse proxy. To work around this challenge, most reverse proxies provide the source IP address it saw in a special header. For example, with Akamai the address name is X-True-Client-IP and with Cloudflare, it would be CF-Connecting-IP. Unfortunately IPB does not currently have a mechanism to remap where it consumes the end user source IP address from. [The Ask] Provide a mechanism within the ACP that would allow an admin to provide a value of a header name which IPB would use to determine the end user's IP address.
Dll Posted April 27, 2017 Posted April 27, 2017 This is already supported, in the ACP go to security, security settings, then select 'Trust IP addresses provided by proxies?'. That'll then use the x-forwarded-for ip address, which as far as I'm aware all or most cdn's will support.
Randy Calvert Posted April 28, 2017 Author Posted April 28, 2017 Login is working as expected. That's not a problem. The challenge is that when members use the site, if there is a proxy such as Akamai or Cloudflare in front of the site... if I look in the IP logs or I look at the IP address from the post, it shows the address of the Proxy, not the member. This means as an Admin, we lose visibility into our end user IP information. It also makes it difficult to cross reference activity, etc. The "Information associated with IP address" section of the moderator CP is basically useless when a proxy is used because it's the proxy that is reported and not the member. See below as an example: In this particular case, I know the end user for this IP address is actually coming from somewhere else, but that happens to be the closest Cloudflare data center. However the end user's actual source IP address is passed as a Layer 7 HTTP header. Depending on the reverse proxy, the field name can vary. If we could have an input specify what that was and have the IP address related tools use that header, we could accurately log/report end user IP information.
sudo Posted April 28, 2017 Posted April 28, 2017 44 minutes ago, Randy Calvert said: In this particular case, I know the end user for this IP address is actually coming from somewhere else, but that happens to be the closest Cloudflare data center. However the end user's actual source IP address is passed as a Layer 7 HTTP header. Depending on the reverse proxy, the field name can vary. If we could have an input specify what that was and have the IP address related tools use that header, we could accurately log/report end user IP information. You can set this via Apache/Nginx config.
Randy Calvert Posted April 28, 2017 Author Posted April 28, 2017 Not a bad idea... I'll have Apache rewrite the source IP address based on the header. Then PHP won't know otherwise what's going on. Thanks!
sudo Posted April 28, 2017 Posted April 28, 2017 9 hours ago, Randy Calvert said: Not a bad idea... I'll have Apache rewrite the source IP address based on the header. Then PHP won't know otherwise what's going on. Thanks! Pretty sure cloudflare have a tutorial on how to do it as well. They used to have an apache module which did that too.
Dll Posted April 28, 2017 Posted April 28, 2017 @Randy Calvert , we use cloudflare and don't see that behaviour, do you definitely have the setting to trust proxy ip's enabled? It's all we had to do to get the source IP rather than a cloudflare one. https://support.cloudflare.com/hc/en-us/articles/200170756-How-do-I-restore-original-visitor-IP-with-IPB-Invision-Power-Board-
Randy Calvert Posted April 28, 2017 Author Posted April 28, 2017 Yes, I do. I implicitly checked it. Might be a bug. I'll open a ticket just to make sure.
inkredible Posted April 28, 2017 Posted April 28, 2017 12 minutes ago, Randy Calvert said: Yes, I do. I implicitly checked it. Might be a bug. I'll open a ticket just to make sure. For Apache there are usually apache modules such as mod_cloudflare. This works without any issues for cloudflare and another reverse proxy (which is kinda unknown) for my forums. For nginx you can simply adapt the nginx config as already mentioned. It's not really something which needs to be considered by IPB.
sudo Posted May 20, 2017 Posted May 20, 2017 Also you want it set correctly on the server rather than IPB so server logs are actually accurate.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.