Level 122
You might need to inspect the request in more detail. Cloudflare might be forwarding you the original client IP under an additional CF-.... header
https://developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers/
Apr 29, 2023
5
Level 1
Jetstream, Fortify storing wrong IP in session
Hi,
I have a basic laravel setup with Fortify and Jetstream, all works like a charm, but when I put it up for hosting it's behind cloudflare, so on the profile page, it is showing the ip address of cloudflare for the open sessions, not the actual ip address of the user.
I can replace the current ip, to take the one behind cloudflare, but how do I update this (responsibly) in the session info that JetStream provides, so it reflects back correctly on the profile page?
I've tried to search for this, but the only answer was to use TrustedProxies (which I use, to get it to work behind cloudflare), but it doesn't explain how to handle the IP address bit.
Any help is appriciated. Cheers, Marc
Level 1
Hi Snapey,
Thank you for your answer, I do know how to get the proper IP, but in the list on the profile page all the browser sessions have their IP stored in $session; so I need a way to get Jetstream to store the proper IP stored inside the $session object, so that when I get the list of browser sessions, they all have the correct IP, and not just the current IP on the current session.
I hope this clearifies it a little bit
Level 122
have you seen this page https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/#JUxJSMn3Ht5c5yq
It talks about restoring REMOTE_ADDR using server script
I nosing around, I also found mention of unwanted side effect of all requests coming from a single IP - it messes up throttling middleware so fixing this issue is probably more important for this than for the profile page.
1 like
Level 1
Well thank you for pointing that out @snapey ;-) .. It means I was making this a way bigger deal than it needs to be ;-). In the end I ended up simply overwriting $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_X_FORWARDED_FOR'] with the correct 'external' IP in the public\index.php file.
My hosting is Digital Ocean, so I just did this on top in the public\index.php file:
if (isset($_SERVER["HTTP_DO_CONNECTING_IP"])) {
$_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_DO_CONNECTING_IP"];
$_SERVER['HTTP_X_FORWARDED_FOR'] = $_SERVER["HTTP_DO_CONNECTING_IP"];
}
Now everything including the logs are getting the proper IP address, so I reckon the throttling etc. will now also work as aspected (haven't tested it yet, but since I do the change at the start of execution, I reckon it would).
Since laravel is using getClientIp() throughout from vendor/symfony/http-foundation/Request.php, that's how I located what to change.
Thank you!
Level 122
Good. Please mark it answered.
Please or to participate in this conversation.