use real user ip behind cloudflare

[t0nka]

if a website is behind clouflare, $this->request->ip() will provide u only a clouflare ip, not the real user ip address.

with $this->request->server('HTTP_CF_CONNECTING_IP') u are able to get the real user ip address

[lrljoe]

You can just use your webserver to modify the standard header. CloudFlare provide instructions on how to do this for Apache and Nginx.

[t0nka]

True, but sometime u need a vanilla server or even u cant cange the configuration of your server

[lrljoe]

In that case, can I suggest that you add some key options into the config file so that it's a little more configurable, perhaps a real_ip header or something?

That way it can be applied to CloudFlare/cloudfront/frontdoor etc

[lrljoe]

Just testing an alternative approach, using the config file to determine which headers to use etc, as this suggested approach limits it to only CloudFlare.

[swilla]

I think if you use this package on your application no changes will need to be done within this package: https://github.com/monicahq/laravel-cloudflare

[t0nka]

i added a configurable approach - config based

[lrljoe]

One minor tweak I'd recommend is to use the shorthand to simplify it somewhat, the below should work but you get the idea on how to tweak if not.

$ip = (config('authentication-log.behind_cdn')) ? $this->request->server(config('authentication-log.behind_cdn.http_header_field')) : $this->request->ip();

Otherwise it looks like a great addition!

[denizaygu]

@rappasoft this would be incredibly useful, I'm using Vercel and have a similar issue. Even if I add the correct user IP to the IPs header, it still uses the secondary AWS IP.

[denizaygu]

As a workaround I ended up implementing the Login event and listener manually myself.

[lrljoe]

I've got some updates and improvements for this that I'll merge across, including smoother detection for the common WAFs/proxies, I'm just focused on the tables package at the mo.

I'd estimate 3 to 4 weeks before I can properly get everything in a good shape for a new release

[lrljoe]

As a side note, rather than replicating the methods, you could do one of the following

configure your webserver to rewrite the header

configure cloudflare to pass the original IP in the original header

use a middleware to rewrite the headers

The update I've got sat to one side has a couple of nifty features for detecting a WAF and picking the appropriate header.
Plus some improvements to the way the package is listening.
Sadly a few weeks before I can think about that tidying it up and adding it in