Laravel, Cloudflare and Trusted Proxies

When using Cloudflare to manage your site, you may notice that if you check the ip address of the request, it will be an ip address from Cloudflare. This is happening because Cloudflare is proxying the request to your server. To get around this issue and get the original request ip, you need to configure trusted proxies in Laravel.

This is important because the throttle middleware checks the request ip and throttles based on ip. If all request look like they are coming from Cloudflare, this will cause issues.

One option would be to allow all but I would not recommend this.

'proxies' => '*',

Another option would be to just hardcode all Cloudflare’s ip address. But what if they change?

'proxies' => [
 '103.21.244.0/22',
 '103.22.200.0/22',
 '103.31.4.0/22',
 '104.16.0.0/12',
 '108.162.192.0/18',
 '131.0.72.0/22',
 '141.101.64.0/18',
 '162.158.0.0/15',
 '172.64.0.0/13',
 '173.245.48.0/20',
 '188.114.96.0/20',
 '190.93.240.0/20',
 '197.234.240.0/22',
 '198.41.128.0/17'],

The best option would be for the range of ip address to auto-update if they change. Fortunately, a great package exists that does just that.

Install the package and make sure you have the reload command set to run daily to ensure the range of ip address are up to date.

$schedule->command('cloudflare:reload')->daily();

Be sure to check out the great article covering trusted proxies on Laravel News.


Originally published at Tim Leland.