Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reverse Proxy with Trusted Proxy 1.49.0 #2799

Open
blaine07 opened this issue Nov 21, 2024 · 10 comments
Open

Reverse Proxy with Trusted Proxy 1.49.0 #2799

blaine07 opened this issue Nov 21, 2024 · 10 comments
Labels

Comments

@blaine07
Copy link

I see the addition of only allowing trusted proxies with V 1.49.0 - my question is - I use Cloudflare for reverse proxy. It has a TON of IP addresses. We have to list each possible IP as "1.2.3.4,5,6,7,8"? That is going to be tedious and occasionally they add etc to list.

Is there anyway to have a variable for trusted proxy that is for example "cloudflare" and then it automagically knows to reach out, get list of Cloudflare IP's and populate it into it's own list on each boot or periodically so that we dont have to list each individual IP of dozens?

@blaine07
Copy link
Author

Maybe use their API to query to get list?

https://developers.cloudflare.com/api/operations/cloudflare-i-ps-cloudflare-ip-details

@blaine07
Copy link
Author

Cloudflare IPV4 has a GIANT list once you expand on these: https://www.cloudflare.com/ips-v4/#

@pglombardo
Copy link
Owner

Hi @blaine07- I suspected this would happen but the CVE had to be fixed.

Do they have a single round-robin DNS name? I'll take a look at the docs now.

@pglombardo
Copy link
Owner

pglombardo commented Nov 22, 2024

ChatGPT says the following which is a good idea. Maybe I could add native CloudFlare support into the product, and with a settings toggle, auto-fetch Cloudflare IPs...

To include Cloudflare's IP ranges in your Rails trusted proxies configuration,
you can dynamically fetch the IP ranges from Cloudflare's official list.
This ensures that your configuration stays up-to-date with any changes to Cloudflare's IPs.

require 'net/http'

cf_ipv4_url = 'https://www.cloudflare.com/ips-v4'
cf_ipv6_url = 'https://www.cloudflare.com/ips-v6'

cloudflare_ips = begin
  ipv4 = Net::HTTP.get(URI(cf_ipv4_url)).split("\n")
  ipv6 = Net::HTTP.get(URI(cf_ipv6_url)).split("\n")
  ipv4 + ipv6
rescue StandardError => e
  Rails.logger.warn "Failed to fetch Cloudflare IPs: #{e.message}"
  []
end

Rails.application.config.action_dispatch.trusted_proxies = [
  "127.0.0.1",         # Localhost
  /^::1$/,             # IPv6 localhost
  /192\.168\.\d{1,3}\.\d{1,3}/, # Local network
  /10\.\d{1,3}\.\d{1,3}\.\d{1,3}/ # Private networks
] + cloudflare_ips.map { |ip| IPAddr.new(ip) }

@blaine07
Copy link
Author

ChatGPT says the following which is a good idea. Maybe I could add native CloudFlare support into the product, and with a settings toggle, auto-fetch Cloudflare IPs...

To include Cloudflare's IP ranges in your Rails trusted proxies configuration, you can dynamically fetch the IP ranges from Cloudflare's official list. This ensures that your configuration stays up-to-date with any changes to Cloudflare's IPs.

require 'net/http'

cf_ipv4_url = 'https://www.cloudflare.com/ips-v4'
cf_ipv6_url = 'https://www.cloudflare.com/ips-v6'

cloudflare_ips = begin
  ipv4 = Net::HTTP.get(URI(cf_ipv4_url)).split("\n")
  ipv6 = Net::HTTP.get(URI(cf_ipv6_url)).split("\n")
  ipv4 + ipv6
rescue StandardError => e
  Rails.logger.warn "Failed to fetch Cloudflare IPs: #{e.message}"
  []
end

Rails.application.config.action_dispatch.trusted_proxies = [
  "127.0.0.1",         # Localhost
  /^::1$/,             # IPv6 localhost
  /192\.168\.\d{1,3}\.\d{1,3}/, # Local network
  /10\.\d{1,3}\.\d{1,3}\.\d{1,3}/ # Private networks
] + cloudflare_ips.map { |ip| IPAddr.new(ip) }

Yeah sorry all that is outside my skill set or wheel
house - I just think it would be something nice to consider if possible. Of course I can’t think of anything off hand but certainly seen some other selfhosted stuff have a Cloudflare variable if you will. :-)

@pglombardo
Copy link
Owner

Hi @blaine07 - I believe I have the solution in #2878 but I can't test it myself. It's off by default until you set PWP__CLOUDFLARE_PROXY=true or set cloudflare_proxy: true in your settings.yml.

I'll release soon but if you could test afterwards and let me know - fingers crossed. I'll post back once the release is out.

@blaine07
Copy link
Author

blaine07 commented Dec 13, 2024

Hi @blaine07 - I believe I have the solution in #2878 but I can't test it myself. It's off by default until you set PWP__CLOUDFLARE_PROXY=true or set cloudflare_proxy: true in your settings.yml.

I'll release soon but if you could test afterwards and let me know - fingers crossed. I'll post back once the release is out.

I am using Cloudflare proxy but it must see it as local. I say that because I never added ‘PWP__TRUSTED_PROXIES’ to my config and everything has continued to function fine? The one cloudflared container my incoming traffic comes to and into Password Pusher from is inside local network though so maybe it’s being seen as local?

I am happy to test however I can to help though!

image

@pglombardo
Copy link
Owner

pglombardo commented Dec 13, 2024

Is there anything in-between Cloudflare and the pwpush container? e.g. another SSL proxy?

@blaine07
Copy link
Author

Is there anything in-between Cloudflare and the pwpush container? e.g. another SSL proxy?

You're right; I'm dumb. I fail today. I realized on Password Pusher I have it hitting a wildcard on Cloudflare Proxy and then forwarded from Cloudflare Proxy internally to an internal instance of Nginx Proxy Manager THEN coming into Password Pusher - so that IS why it would see it as internal traffic. No idea why I didn't think to check that.

I don't have time this second but I could add a route in Cloudflare and go straight to password pusher and add variable for the sake of testing it - it'll have to be this evening or tomorrow though. I would then have to test it outside my home network; split horizon/split tunnel DNS at home.

@pglombardo
Copy link
Owner

No problem at all - this is a good work-around for others if it comes up. The CF code is there in any case (disabled by default) and it seems to work. We can see as time progresses.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants