portal entry

select a category, or use search below
(searches all categories and all time range)
Title:

How to get CF to know a user’s real IP address, when behind a proxy, load balancer, caching solution, etc.

| View in Portal
April 29, 2019 09:38:13 PM GMT
14 Comments 
<p>If your server is behind some loadbalancer, proxy, or caching solution, you may need to know the "real" IP address for a user. Or perhaps you are developer, and because of this same problem, you find that you can never get CF "debugging output" to appear, even though your IP address is in the CF Admin list. See this post, for how to leverage the Tomcat RemoteIPValve, which can be configured easily within CF.</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2019/04/get-cf-know-users-real-ip-address-behind-proxy-load-balancer-caching-solution-etc/">How to get CF to know a user’s real IP address, when behind a proxy, load balancer, caching solution, etc.</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: Blog, ColdFusion, Troubleshooting, admin, blog, troubleshooting

Comments:

<p>Great article Charlie, as always! </p><p>We had this problem years ago here at work when a new proxy was installed and we found that it wasn’t forwarding the real IP at <em>all</em>. We had to ask our network team to change the configuration in the proxy appliance (I’d prefer not to say the name of the device, for security reasons). After they did that we started seeing X-Forwarded-For in the header data.</p>
Comment by yacoubean
2029 | May 01, 2019 08:28:05 PM GMT
Thanks for the kind regards, Jake. And had you guys used the remoteipvalve to get CF to regard that header? Or was this perhaps before CF10 (and CF's Tomcat integration)?
Comment by Charlie Arehart
2030 | May 02, 2019 03:23:35 AM GMT
Yeah, before CF10.
Comment by yacoubean
2041 | May 07, 2019 06:17:50 PM GMT
Hi Charlie- I did the change on my production server and did not get cgi.REMOTE_ADDR to reflect the IP in the CF-Connecting-IP but a work around I found was to just use this wherever I was using cgi.REMOTE_ADDR: var curIP = cgi.REMOTE_ADDR; if ( structKeyExists(cgi,'CF_Connecting_IP') ) curIP = cgi.CF_Connecting_IP;  
Comment by Matthew Graff
2064 | May 22, 2019 10:39:25 PM GMT
Interesting idea, Matt. Thanks for sharing it. It may help some. As for the remoteipvalve not working, there can be various reasons that would be so. If you visit the Tomcat docs, you'll see the various additional attributes, which solve various problems. See especially the internal_proxies attribute, if there is yet some other proxy within your environment (like a load balancer), whose ip is not in the default list of them: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1.
Comment by Charlie Arehart
2065 | May 22, 2019 11:55:24 PM GMT
Would you recommend using GetHttpRequestData(false).headers? I believe we had to do this w/Adobe ColdFusion because it defaults to "true" and then headers can only be read once. (CFDocs.org indicates that this flag defaults to "false", but official Adobe documentation indicates that it defaults to "true".)
Comment by James Moberg
2066 | May 23, 2019 02:04:27 PM GMT
James, I would think it would be inconsequential for this need (to get the header). That arg is about whether to get the body, and the stated limitation that you can only get it once seems to be talking about the body instead, not the headers. But if you or anyone gets clarification on it, feel free to share. I have only ever used it without any arg, which (from the docs) defaults to false.
Comment by Charlie Arehart
2067 | May 23, 2019 08:41:37 PM GMT
Hi, this did not work for me on Azure. We added the valve, restarted, and nothing in the headers for the CF-Connecting-IP.
Comment by tribule
2096 | June 07, 2019 11:08:39 AM GMT
Check out the docs for the valve, for additional attributes that may help. As I said in a reply to someone else below, see especially the internal_proxies attribute, if there is yet some other proxy within your environment (like a load balancer), whose ip is not in the default list of them: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254.\d{1,3}.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|0:0:0:0:0:0:0:1. If that works, please write back to help confirm for other readers.
Comment by Charlie Arehart
2097 | June 07, 2019 11:25:24 AM GMT
Tribule, did it work for you, with that additional info?
Comment by Charlie Arehart
2141 | June 28, 2019 05:15:13 PM GMT
Is there any way to identify the "remote port"?  I was using ColdFusion to log some abuse and the remote network admin asked me if I could identify the port used (since they operate a VPN).  Is there any way to identify this using IIS & ColdFusion?  (While researching, I discovered that modern PHP returns this as $_SERVER.REMOTE_PORT.)
Comment by James Moberg
2142 | July 01, 2019 06:01:32 PM GMT
Might you mean simply what's reported in cgi.server_port?
Comment by Charlie Arehart
2143 | July 02, 2019 03:40:34 AM GMT
True-Client-IP is another header name that is used by CloudFlare and others.
Comment by Benjamin Reid
4795 | July 15, 2020 11:31:02 PM GMT
<p>Sure, Benjamin, and thanks. To be clear, that’s why when I indicated headers I did refer to “in most cases”, as they are many and varied. (And again, they may be injected by various intercepting resources/proxies along the way.)</p><p>More important this is why I showed HOW one would see what header IS being passed in. In some years, still some other header may be come more popular. <img src="https://s.w.org/images/core/emoji/2.3/72x72/1f642.png" alt="??" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p>
Comment by Charlie Arehart
4799 | July 16, 2020 06:43:46 PM GMT