Git Product home page Git Product logo

cloudflare-ip's Introduction

cloudflare-ip NPM version Build Status Dependency Status

Check if an IP address is in Cloudflare's IP address range.

Cloudflare's IP addresses are pubicly available.


Why: If your app is behind a reverse proxy like Cloudflare, then you generally don't want to handle requests that bypass it. At the very least, you'll want to ensure that the user cannot spoof their IP address by setting headers that you thought you could depend on like X-Forwarded-For.

Chuck this library into some upstream middleware to short-circuit on requests that aren't coming from Cloudflare.

Scroll down to the Enforcing X-Forwarded-For section for some further thoughts.

Install

npm install --save cloudflare-ip

Usage

const cloudflareIp = require('cloudflare-ip');

// non-cloudflare ips should be false
cloudflareIp('66.249.66.1')                // false
cloudflareIp('1.1.1.1')                    // false
// localhost should be false
cloudflareIp('127.0.0.1'))                 // false
cloudflareIp('::1'))                       // false
// garbage should be false
cloudflareIp()                             // false
cloudflareIp('')                           // false
cloudflareIp(0)                            // false
cloudflareIp('chicken')                    // false
// cloudflare ips should pass
cloudflareIp('103.21.244.0'))              // true
cloudflareIp('2400:cb00:0000::0000'))      // true

Syncing with Cloudflare

Scrape Cloudflare's list and update the ips.json file:

npm run update-list

If this produces a change, then this library needs to be updated.

Enforcing X-Forwarded-For

The X-Forwarded-For request header is an array of IP addresses ordered from upstream to downstream. When a proxy forwards a request, it typically appends the connecting IP address to this list before sending it on.

You only trust a given index of X-Forwarded-For when it's a length that you expect. For example, if you're using Nginx and you configure it to never relay the upstream header, then you'll know an honest request would always have an X-Forwarded-For of length one.

If your reverse proxy relays and appends to this header, then the user can spoof their own X-Forwarded-For header if you're not careful.

Here are some examples to think about when validating requests.

Example 1: App <- Heroku <- Cloudflare

If your app is running on Heroku behind Cloudflare, then an honest request will look like:

ip: herokuLoadBalancer
x-forwarded-for: [realUser, cloudflare]

If you assert that the 2nd value of X-Forwarded-For is a Cloudflare IP address in the naive attempt to ensure that requests are coming through Cloudflare, then a dishonest user can connect directly to your Heroku server with a spoofed X-Forwarded-For [spoofUser, spoofCloudflare] and your app will see this:

ip: herokuLoadBalancer
x-forwarded-for: [spoofUser, spoofCloudflare, realUser]

So by checking the 2nd value of X-Forwarded-For, you would be validating a spoofable IP address.

The simplest solution in this example would be to validate the 2nd X-Forwarded-For IP address but also ensure that X-Forwarded-For has exactly two IP addresses.

Example middleware:

app.use(function * (next) {
  if (config.NODE_ENV !== 'production') yield next
  if (!this.get('x-forwarded-for')) return
  const fwd = this.get('x-forwarded-for').split(',')
  if (fwd.length !== 2) return
  if (!cloudflareIp(fwd[1])) return
  yield next
})

Example 2: App <- Cloudflare

If your app is running on port 80 and is only behind Cloudflare, then an honest request will look like:

ip: cloudflare
x-forwarded-for: [realUser]

You could validate that the connecting IP address is Cloudflare's and that X-Forwarded-For has a length of one before trusting the first value of X-Forwarded-For to be the user's IP address.

Development

npm test

License

MIT

cloudflare-ip's People

Contributors

danneu avatar erisds avatar uniibu avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.