http://coldfusion.com logo
Join Slack
Powered by
When a request comes in via a firewall, is there a...
# cfml-general
r
When a request comes in via a firewall, is there a way to find out where the request actually came from before the firewall got involved?
r
Typically you can use X-Forwarded-For if it's been setup on the firewall.
šŸ‘šŸ» 1
ā˜ļø 1
r
There can be but it will depend on the consistent configuration of the layers between the application and the outside world. Tomcat, for instance, can be configured via its Remote IP Valve to help get the originating IP to come through via a particular header (
x-forwarded-for
is the default). For that to work, all of the intervening firewall/proxy/load balancer/etc. layers have to be configured consistently to work with that same header.
r
Thanks both. I'd get to that via 
getHttpRequestData()
right?
r
getHttpRequestData().headers, "X-Forwarded-For"
šŸ‘ 1
r
Or if the intervening layers are all configured correctly/consistently, it will just come through as 
cgi.remote_addr
. That matters if, for instance, you need to enable debugging in the CF administrator for a specific IP.
šŸ‘ 1
r
Just to say, 
getHTTPRequestData().headers['X-Forwarded-For']
is working for me, so thank you both šŸ‘
šŸ‘ 1
b
Note there are some custom http headers used by specific proxies such as cloudflare as well
A proxy also isn't guaranteed to pass along forwarded for headers, but they usually do. Only trust them if you trust the proxy
r
That's good to know, thanks. I'm also asking our network team to provide some firewall logs which should help.
r
We have an include with a function that handles x-forwarded and the cloudflare one..... <!--- this is because Cloudflare changes the inbound IP - they pass the real IP in CF_Connecting-IP or X-Forwarded-For (the latter of which can be a list, otherwise these two are identical, but the former is cloudflare-specific) ---> cffunction name="getClientIP" returntype="string" output="no" access="public" cfset remoteout = "" cftry cfset remoteout = ListFirst(getHttpRequestData().headers["X-Forwarded-For"],",") cfcatch/cfcatch /cftry cftry cfif remoteout eq '' cfset remoteout = getHttpRequestData().headers["CF-Connecting-IP"] /cfif cfcatch/cfcatch /cftry cfif remoteout eq '' cfset remoteout = cgi.REMOTE_ADDR /cfif cfreturn remoteout /cffunction
b
Suggestion ā€¢ get the headers once ā€¢ use structKeyExists instead of try catch error handling will always perform worse than a struct key check.
2 Views
Open in Slack
PreviousNext
Powered by