If your system is showing the same IP address for all clients connected to your site, that’s because CloudProxy is a passthrough WAF. It will be in the middle of the communication between the clients and the hosting server to be able to filter the malicious requests. Because of that, the headers are modified and the source IP will be shown as the CloudProxy IP.

You can read more details about this here.

In case your application needs the real user IP, there are some options to make it work:

Apache

mod_rpaf

mod_rpaf (For Debian Wheezy)

Apache 2.4

Apache 2.4 and above usually comes with mod_remoteip installed, you just need to enable it. If mod_remoteip has not been included in your Apache install you can download it here: mod_remoteip

If you enable the trusted proxy IP setting, you should use the following configuration:

RemoteIPHeader HTTP_X_SUCURI_CLIENTIP
RemoteIPHeader HTTP_X_FORWARDED_FOR
RemoteIPHeader HTTP_X_REAL_IP
RemoteIPTrustedProxy 2a02:fe80::/29
RemoteIPTrustedProxy 192.88.134.0/23
RemoteIPTrustedProxy 66.248.200.0/22
RemoteIPTrustedProxy 192.124.249.0/24

Nginx

ngx_http_realip_module

After enabling ngx_http_realip_module you should add the following to your nginx configuration:

# Define header with original client IP
real_ip_header X-Forwarded-For;
# Define trusted CloudProxy IPs
set_real_ip_from 192.88.134.0/23;
set_real_ip_from 185.93.228.0/22;
set_real_ip_from 66.248.200.0/22;
set_real_ip_from 2a02:fe80::/29;

LiteSpeed

In the LiteSpeed Web Admin Panel go to Configuration -> Server -> General Settings and set Use Client IP in Header to ‘Yes’.

IIS using Advanced Logging

Details here

IIS using Web.conf

<configuration>
   <system.webServer>
      <security>
        <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->                
        <clear/> <!-- removes all upstream restrictions -->
        <add ipAddress="127.0.0.1" allowed="true"/>    <!-- allow requests from the local machine -->
        <add ipAddress="192.88.134.0" subnetMask="255.255.254.0" allowed="true"/>   <!--allow network-->        
        <add ipAddress="185.93.228.0" subnetMask="255.255.252.0" allowed="true"/>   <!--allow network--> 
        <add ipAddress="66.248.200.0" subnetMask="255.255.252.0" allowed="true"/>   <!--allow network--> 
        <add ipAddress="2a02:fe80::" subnetMask="ffff:ffff::" allowed="true" />   <!--allow ip6 network-->
      </ipSecurity>
      </security>
      <modules runAllManagedModulesForAllRequests="true"/>
   </system.webServer>
</configuration>

WordPress

Simply install the Sucuri Plugin

PHP

Add the following code to your application (the config.php or configuration.php is usually a good location):

if(isset($_SERVER['HTTP_X_SUCURI_CLIENTIP']))
{
    $_SERVER["REMOTE_ADDR"] = $_SERVER['HTTP_X_SUCURI_CLIENTIP'];
}

Magento

Edit the Magento configuration file /app/etc/local.xml.additional and replace this:

<remote_addr_headers><!-- list headers that contain real client IP if webserver is behind a reverse proxy -->
    <header1>HTTP_X_REAL_IP</header1>
    <header2>HTTP_X_FORWARDED_FOR</header2>
</remote_addr_headers>

with:

<remote_addr_headers><!-- list headers that contain real client IP if webserver is behind a reverse proxy -->
    <header1>HTTP_X_SUCURI_CLIENTIP</header1>
</remote_addr_headers>

IP Board

Settings: Security and Privacy -> “Enable X_FORWARDED_FOR IP matching” set to ‘yes’.

vBulletin 4.2+

If you are using vBulletin 4.2 or newer they added in a feature to allow for Sucuri behind a proxy like CloudProxy. Look inside of your /includes/config.php file for the following code:

/* #### Reverse Proxy IP #### 
If your use a system where the main IP address passed to vBulletin is the address of a proxy server 
and the actual 'real' ip address is passed in another http header then you enter the details here */

/* Enter your known [trusted] proxy servers here. You can list multiple trusted IPs separated by a comma.*/
//$config['Misc']['proxyiplist'] = '127.0.0.1, 192.168.1.6';

/* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */
//$config['Misc']['proxyipheader'] = 'HTTP_X_FORWARDED_FOR';

And modify it to the following to work with our firewall:

/* #### Reverse Proxy IP #### 
If your use a system where the main IP address passed to vBulletin is the address of a proxy server 
and the actual 'real' ip address is passed in another http header then you enter the details here */

/* Enter your known [trusted] proxy servers here. You can list multiple trusted IPs separated by a comma.*/
$config['Misc']['proxyiplist'] = '192.88.134.2, 192.88.134.3, 192.88.134.4, 192.88.134.5, 192.88.134.6, 192.88.134.7, 192.88.134.8, 192.88.134.9, 192.88.134.10, 192.88.134.11, 192.88.134.12, 192.88.134.13, 192.88.134.14, 192.88.134.15, 192.88.134.16, 192.88.135.2, 192.88.135.3, 192.88.135.4, 192.88.135.5, 192.88.135.6, 192.88.135.7, 192.88.135.8, 192.88.135.9, 192.88.135.10, 192.88.135.11, 192.88.135.12, 192.88.135.13, 192.88.135.14, 192.88.135.15, 192.88.135.16, 185.93.228.2, 185.93.228.3, 185.93.228.4, 185.93.228.5, 185.93.228.6, 185.93.228.7, 185.93.228.8, 185.93.228.9, 185.93.228.10, 185.93.228.11, 185.93.228.12, 185.93.228.13, 185.93.228.14, 185.93.228.15, 185.93.228.16, 185.93.229.2, 185.93.229.3, 185.93.229.4, 185.93.229.5, 185.93.229.6, 185.93.229.7, 185.93.229.8, 185.93.229.9, 185.93.229.10, 185.93.229.11, 185.93.229.12, 185.93.229.13, 185.93.229.14, 185.93.229.15, 185.93.229.16, 185.93.230.2, 185.93.230.3, 185.93.230.4, 185.93.230.5, 185.93.230.6, 185.93.230.7, 185.93.230.8, 185.93.230.9, 185.93.230.10, 185.93.230.11, 185.93.230.12, 185.93.230.13, 185.93.230.14, 185.93.230.15, 185.93.230.16';

/* If the real IP is passed in a http header variable other than HTTP_X_FORWARDED_FOR, then you can set the name here; */
$config['Misc']['proxyipheader'] = 'HTTP_X_SUCURI_CLIENTIP';

If you are not able to find that code inside of your /includes/config.php file, you can just add it to the bottom of the file. Make sure you remove the // at the begginning of the 2 lines containing the IP addresses and the header line.

Note: If you run into issues with the IPv6 addresses (2a02:fe80::/29), and you do not have an IPv6 Addresses assigned to/as host, you should remove those lines from any directive.

 

in Sucuri CloudProxyTroubleshooting

0

0

Related Articles

Leave a Reply