-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reverse Proxy with Trusted Proxy 1.49.0 #2799
Comments
Maybe use their API to query to get list? https://developers.cloudflare.com/api/operations/cloudflare-i-ps-cloudflare-ip-details |
Cloudflare IPV4 has a GIANT list once you expand on these: https://www.cloudflare.com/ips-v4/# |
Hi @blaine07- I suspected this would happen but the CVE had to be fixed. Do they have a single round-robin DNS name? I'll take a look at the docs now. |
ChatGPT says the following which is a good idea. Maybe I could add native CloudFlare support into the product, and with a settings toggle, auto-fetch Cloudflare IPs... To include Cloudflare's IP ranges in your Rails trusted proxies configuration, require 'net/http'
cf_ipv4_url = 'https://www.cloudflare.com/ips-v4'
cf_ipv6_url = 'https://www.cloudflare.com/ips-v6'
cloudflare_ips = begin
ipv4 = Net::HTTP.get(URI(cf_ipv4_url)).split("\n")
ipv6 = Net::HTTP.get(URI(cf_ipv6_url)).split("\n")
ipv4 + ipv6
rescue StandardError => e
Rails.logger.warn "Failed to fetch Cloudflare IPs: #{e.message}"
[]
end
Rails.application.config.action_dispatch.trusted_proxies = [
"127.0.0.1", # Localhost
/^::1$/, # IPv6 localhost
/192\.168\.\d{1,3}\.\d{1,3}/, # Local network
/10\.\d{1,3}\.\d{1,3}\.\d{1,3}/ # Private networks
] + cloudflare_ips.map { |ip| IPAddr.new(ip) } |
Yeah sorry all that is outside my skill set or wheel |
Hi @blaine07 - I believe I have the solution in #2878 but I can't test it myself. It's off by default until you set I'll release soon but if you could test afterwards and let me know - fingers crossed. I'll post back once the release is out. |
I am using Cloudflare proxy but it must see it as local. I say that because I never added ‘PWP__TRUSTED_PROXIES’ to my config and everything has continued to function fine? The one cloudflared container my incoming traffic comes to and into Password Pusher from is inside local network though so maybe it’s being seen as local? I am happy to test however I can to help though! |
Is there anything in-between Cloudflare and the pwpush container? e.g. another SSL proxy? |
You're right; I'm dumb. I fail today. I realized on Password Pusher I have it hitting a wildcard on Cloudflare Proxy and then forwarded from Cloudflare Proxy internally to an internal instance of Nginx Proxy Manager THEN coming into Password Pusher - so that IS why it would see it as internal traffic. No idea why I didn't think to check that. I don't have time this second but I could add a route in Cloudflare and go straight to password pusher and add variable for the sake of testing it - it'll have to be this evening or tomorrow though. I would then have to test it outside my home network; split horizon/split tunnel DNS at home. |
No problem at all - this is a good work-around for others if it comes up. The CF code is there in any case (disabled by default) and it seems to work. We can see as time progresses. |
I see the addition of only allowing trusted proxies with V 1.49.0 - my question is - I use Cloudflare for reverse proxy. It has a TON of IP addresses. We have to list each possible IP as "1.2.3.4,5,6,7,8"? That is going to be tedious and occasionally they add etc to list.
Is there anyway to have a variable for trusted proxy that is for example "cloudflare" and then it automagically knows to reach out, get list of Cloudflare IP's and populate it into it's own list on each boot or periodically so that we dont have to list each individual IP of dozens?
The text was updated successfully, but these errors were encountered: