Messages

1

General Discussion / Re: Nginx plugin + Cloudflare proxying

« on: January 30, 2020, 10:33:52 am »

I totally agree they should.
As far as I can tell they use X-Real-IP internally, but say they don't pass it to the end user. It seems to be done to prevent conflicts.

X-Forwarded-For they also use, but they say it can include more IP's than just the user send the request, including IP's by cloudflare Proxies.

*edit*
I also noticed another issue:
Cloudflare creates these public IP lists to be used as "Trusted Proxy IP":
https://www.cloudflare.com/ips-v4
https://www.cloudflare.com/ips-v6


OPNSENSE is awesome by allowing us to use those directly, by creating an alias and selecting "URL Table (IPs)". Which works great.

But, the NGINX plugin doesnt accept aliasses created using the URL or URL TABLE option.
So we cant actually select those aliasses for use with NGINX.
See: https://github.com/opnsense/plugins/blob/45250dd2e5823d059ab55a807f7524264729d8c9/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml#L649

*edit2*
Because I tend to not-be lazy, I've send in a quick-fix PR for the alias selector problem:
https://github.com/opnsense/plugins/pull/1680

2

General Discussion / Re: Nginx plugin + Cloudflare proxying

« on: January 29, 2020, 10:01:59 pm »

I'm going to shamelessly necro this, but not one of the "real ip" header options is supported by cloudflare.
Cloudflare uses the non-standard "cf-Connecting-IP" header to contain the original IP.