Get and secure from spoofing a user's real IP from Cloudflare in Yii2?

M

Mark2019-10-20 12:58:34

Yii

Mark, 2019-10-20 12:58:34

Cloudflare uses Reverse Proxy, which makes it impossible to get the user's real IP through $request->userIP, which disrupts the site, in particular, processing requests from payment systems.
The real IP is stored in the "CF-Connecting-IP" header. Yii2 has a function to change the IP acquisition mechanism: Trusted proxies and headers . But we are urged to fill trustedHostsin, but it is not known in advance where Cloudflare will send data.
If you write a configuration, where only to list where to get headers for IP - everything works "as it should":

'request' => [
    // ...
    'ipHeaders' => [
        'CF-Connecting-IP',
        'X-Forwarded-For',
    ],
]

But isn't the site in danger due to the substitution of the title?
I tried to replace "CF-Connecting-IP" with my own, to which Cloudflare itself gave an error: "DNS points to prohibited IP". Is protection from Cloudflare itself enough, or is there something else that needs to be done?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Andrey Gavrilov, 2019-10-20
@MarkLb

There is such a thing as real ip
https://support.cloudflare.com/hc/en-us/articles/2...
And the ip will be processed correctly, including the user's real ip in the logs

D

Dimonchik, 2019-10-20
@dimonchik2013

not known in advance

mean ?