D
Dokploy2mo ago
Scan

Need help with Cloudflare real ips

So i've been trying a lot of things, but i don't think they are working at all.
8 Replies
iamarpit
iamarpit2mo ago
wanna add more details ?? what's not working
Scan
ScanOP2mo ago
real ips so nothing X-Real-IP shows Cloudflare ips not the actual client one which is a security issue
iamarpit
iamarpit2mo ago
and you saying its currently showing your vm ip ?
Scan
ScanOP2mo ago
no Cloudflare Cf-Connecting-Ip is not the X-Real-IP, instead, is a cloudflare ip instead
iamarpit
iamarpit2mo ago
I could be wrong but if your actual ip is not exposed the what's the problem
Scan
ScanOP2mo ago
that the real ip has to be exposed to the web server? client not host
designorant
designorant2mo ago
I was looking at this the other day for one of my apps. You'll need to add Cloudflare IPs as trusted in: Traefik File System > traefik.yml 
entryPoints:
  web:
    address: ':80'
    forwardedHeaders:
      trustedIPs:
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22
  websecure:
    address: ':443'
    forwardedHeaders:
      trustedIPs:
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22
    http3:
      advertisedPort: 443
    http:
      tls:
        certResolver: letsencrypt
entryPoints:
  web:
    address: ':80'
    forwardedHeaders:
      trustedIPs:
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22
  websecure:
    address: ':443'
    forwardedHeaders:
      trustedIPs:
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22
    http3:
      advertisedPort: 443
    http:
      tls:
        certResolver: letsencrypt
Ideally you'll need a cron to update these. You can grab them from here: https://www.cloudflare.com/ips-v4/# Their range: https://www.cloudflare.com/en-gb/ips/ Then in your app, you just grab cf-connecting-ip We could probably implement it for Dokploy Requests too with a sane default.
Scan
ScanOP2mo ago
Thank you, I’ll look into this later

Did you find this page helpful?