[Enhancement]: DNN behind Cloudflare - HTTP_X_FORWARDED_FOR

[fablaser]

Is there an existing issue for this?

• I have searched the existing issues

Description of problem

Hello, I have some websites behind Cloudflare's WAF. I currently use Request.ServerVariables("HTTP_X_FORWARDED_FOR") for my own applicatoin log. So I can log real IP address of clients, not just Cloudflare ip addresses. It would be useful to have an option that allows DNN to log IP using this variable.

Description of solution

implement Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Description of alternatives considered

No response

Anything else?

No response

Do you be plan to contribute code for this enhancement?

• Yes

Would you be interested in sponsoring this enhancement?

• Yes

Code of Conduct

• I agree to follow this project's Code of Conduct

[jeremy-farrance]

Related? to #5073 ?

This sounds like an enhancement that a lot of people would appreciate. Well, at least me!

[valadas]

@fablaser can you try setting it here and see if that works ?

[fablaser]

@fablaser can you try setting it here and see if that works ?

Hello,
I tried to follow the configuration, but I does not work... After changed it I tried to clear cache and recycle app pool. Anyway any operation (such as failed login) will be logged with Cloudflare ip address... I also tried "x-forwarded-for" variable.

[fablaser]

Related? to #5073 ?

This sounds like an enhancement that a lot of people would appreciate. Well, at least me!

Yes, it is related to it! I did not noticed this previous request

[valadas]

Just reading some code, it looks like one could add an entry in the HostSettings table to specify that header

https://github.com/dnnsoftware/Dnn.Platform/blob/9f4833f5dcba24e0dbd194338c2a50a03a43da83/DNN%20Platform/Library/Services/UserRequest/UserRequestIPAddressController.cs#L27C1-L28C1

[fablaser]

Hello
thank you for your support.

I tried to add a new record in HostSettings table with these values:

SettingName: UserRequestIPHeader
SettingValue: X-Forwarded-For

Then I cleared cache and recycled app pool, but the result is always the same: every failed login, in logs, has the cloudflare ip address...

[fablaser]

Just reading some code, it looks like one could add an entry in the HostSettings table to specify that header

https://github.com/dnnsoftware/Dnn.Platform/blob/9f4833f5dcba24e0dbd194338c2a50a03a43da83/DNN%20Platform/Library/Services/UserRequest/UserRequestIPAddressController.cs#L27C1-L28C1

Hello,
I simply needed to write "X-Forwarded-For" in lower case!
Thanks!!

[jeremy-farrance]

Hello,
I simply needed to write "X-Forwarded-For" in lower case!

Wait, what? Are you saying,

• in code you need it lower cased... Request.ServerVariables() or

• the Value it the SQL table HostSettings

needed to be lowercase?

[valadas]

That is surprising, they document it with capitals https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#x-forwarded-for

[fablaser]

Wait, what? Are you saying,
* in code you need it lower cased... Request.ServerVariables() or
* the Value it the SQL table HostSettings

needed to be lowercase?

In SQL HostSettings table. When DNN launces this code:

 var userRequestIPHeader = HostController.Instance.GetString("UserRequestIPHeader", "X-Forwarded-For");
 var userIPAddress = string.Empty;
 if (request.Headers.AllKeys.Contains(userRequestIPHeader))

AllKeys.Contains(userRequestIPHeader)) does not matches "X-Forwarded-For", it is seems to be case sensitive.

[fablaser]

That is surprising, they document it with capitals https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#x-forwarded-for

Perhaps it should be useful to change the code using Contains(userRequestIPHeader, IEqualityComparer) so that it would be case insensitive...

[valadas]

Oh, I see, so you went from X-FORWARDED-FOR to X-Forwarded-For right ?

[ronnydodd]

I wont ask again, please take me off your mailing list, NOW! Frank DeSocio Bpaa Executive Director 817-385-8428 316-648-2479 cell From: Daniel Valadas ***@***.***> Sent: Thursday, October 3, 2024 7:46 AM To: dnnsoftware/Dnn.Platform ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [dnnsoftware/Dnn.Platform] [Enhancement]: DNN behind Cloudflare - HTTP_X_FORWARDED_FOR (Issue #6145) Caution: This message came from outside the IBC network. Use caution with links and attachments. Oh, I see, so you went from X-FORWARDED-FOR to X-Forwarded-For right ? — Reply to this email directly, view it on GitHub<#6145 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AFO2FYUHI7KYFSFBA3A37WTZZU4BFAVCNFSM6AAAAABPFYXO3OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJRGMZTCMRUHE>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[valadas]

@ronnydodd I did not email you, this is a reply to a github issue, not sure how but you are somehow following this issue. Please go to #6145 and unsubscribe from it if you don't want these emails.

[fablaser]

Oh, I see, so you went from X-FORWARDED-FOR to X-Forwarded-For right ?

In my own code I used X-FORWARDED-FOR, but it does not matter if I use request.Headers['X-FORWARDED-FOR'], request.Headers['X-Forwarded-For'] or request.Headers['x-forwarded-for'], they will work fine.

The issue has been caused by "request.Headers.AllKeys.Contains(userRequestIPHeader)" in DNN code you mentioned yesterday. "Contains" method is case sensitive. In my header's collection I see "x-forwarded-for" (lower), so I need to use this string in hostsettings table.

So, the line
if (request.Headers.AllKeys.Contains(userRequestIPHeader))

should be modified in order to use Request.Headers.AllKeys.Contains(userRequestIPHeader, iEqualityComparer) and make the comparison caseinsensitive.

[MarietteNL]

I use x-forwarded-for in the Hostsettings table and that works fine. All small letters