Today I learned about Cloudflare Proxy IPs

Cloudflare Proxy IPs

One mistake I did this week was to rate limit users based on their IP address. This seems fine at first but I did not realise that the IP I was rate-limiting was not the user's real IP address, but the Cloudflare Proxy IP address.

How to get the user's real IP address

First, by searching on the net I discovered that you must whitelist the Cloudflare IPs at Traefik level, so Traefik can pass the user's real IP address to the backend.

I've added the following in my Docker-compose Traefik container:

# Trust Cloudflare IPs for forwarded headers
- --entrypoints.websecure.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32

For info, the IPs can be found here.

Then, in my Node server, I just had to use the Cf-Connecting-Ip header to get the user's real IP address.

const realIp = event.req.headers["cf-connecting-ip"];