Support

Admin Tools

#11777 Suggestion to detect cloudflare ip and real ip

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Sunday, 01 April 2012 01:44 CDT

Saturday, 31 March 2012 05:25 CDT

user9856
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? No
Have I read the documentation before posting (which pages?)? No
Joomla! version: (unknown)2.5.3
PHP version: (unknown)5.2.17
MySQL version: (unknown)5.1+
Host: (optional, but it helps us help you)
Admin Tools version: (unknown)latest one

Description of my issue:
Hi there,

We are using cloudflare to make site faster. But when login to back-end, whoever or wherever, the ip is fixed and from cloudflare. When there is an attack or some one make a mistake, then admintools bans this ip, and no one can access back-end.

Since cloudflare support a module that can return real IP, you can find here:
http://extensions.joomla.org/extensions/site-management/content-networking/16320
can you add this function in next release so that admintools will get the real IP?

Cheers,
F6admin

Saturday, 31 March 2012 05:32 CDT

nicholas
Sorry, I won't be implementing that. What you should actually do is to disable CloudFlare caching of your administrator area using their URL filters. Essentially, you want to set up CloudFlare so that anything starting with administrator/ does not go through CloudFlare. Please read their documentation, they have instructions about doing that.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Saturday, 31 March 2012 22:30 CDT

user9856
Hi Nicholas,

We have already setting the page rules of cloudflare for 24 hours. And it still not working. (you can see the setting in attachment.)

After reading documentation and check http header. We found cloudflare put real user ip in CF-Connecting-IP, maybe admintools does not detect this one?

reference: http://support.cloudflare.com/kb/top-frequently-asked-questions/why-do-my-traffic-or-visitor-logs-look-different

Any suggestion?

Cheers,
F6admin

Sunday, 01 April 2012 01:44 CDT

nicholas
Hello Stephan,

No, Admin Tools will never detect that. The reason is that it's a custom header sent by CloudFlare. If I add an exception for CloudFlare, I will have to do the same for every CDN, reverse proxy and whatnot out there. I'm not going to do that.

Furthermore, using automatic IP blocking in conjunction with a CDN is futile. The main purpose of using a CDN is caching the pages. This means that if an attacker tries to access a front-end page fifty times with the same request parameters, at most one request will be recorded. The only pages which are never cached are the back-end pages. Therefore, the automatic IP blocking (as well as the Whitelist and Blacklist features) can not work reliably when behind a CDN. The good news is that CloudFlare performs some basic checks on its own, so it shouldn't let many suspicious requests reach your server after all.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!