You are here

class ClientIpRestore in CloudFlare 8

Restores the true client Ip address.

Hierarchy

Expanded class hierarchy of ClientIpRestore

See also

https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Clou...

1 file declares its use of ClientIpRestore
ClientIpRestoreTest.php in tests/src/Unit/ClientIpRestoreTest.php
1 string reference to 'ClientIpRestore'
cloudflare.services.yml in ./cloudflare.services.yml
cloudflare.services.yml
1 service uses ClientIpRestore
cloudflare.clientiprestore in ./cloudflare.services.yml
Drupal\cloudflare\EventSubscriber\ClientIpRestore

File

src/EventSubscriber/ClientIpRestore.php, line 23

Namespace

Drupal\cloudflare\EventSubscriber
View source
class ClientIpRestore implements EventSubscriberInterface {
  use StringTranslationTrait;
  const CLOUDFLARE_RANGE_KEY = 'cloudflare_range_key';
  const CLOUDFLARE_CLIENT_IP_RESTORE_ENABLED = 'client_ip_restore_enabled';
  const CLOUDFLARE_BYPASS_HOST = 'bypass_host';
  const IPV4_ENDPOINTS_URL = 'https://www.cloudflare.com/ips-v4';
  const IPV6_ENDPOINTS_URL = 'https://www.cloudflare.com/ips-v6';

  /**
   * Cache backend service.
   *
   * @var \Drupal\Core\Cache\CacheBackendInterface
   */
  protected $cache;

  /**
   * The settings configuration.
   *
   * @var \Drupal\Core\Config\Config
   */
  protected $config;

  /**
   * The HTTP client to fetch the feed data with.
   *
   * @var \GuzzleHttp\ClientInterface
   */
  protected $httpClient;

  /**
   * A logger instance.
   *
   * @var \Psr\Log\LoggerInterface
   */
  protected $logger;

  /**
   * TRUE/FALSE if client ip restoration enabled.
   *
   * @var bool
   */
  protected $isClientIpRestoreEnabled;

  /**
   * Constructs a ClientIpRestore.
   *
   * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
   *   The factory for configuration objects.
   * @param \Drupal\Core\Cache\CacheBackendInterface $cache
   *   Cache backend.
   * @param \GuzzleHttp\ClientInterface $http_client
   *   A Guzzle client object.
   * @param \Psr\Log\LoggerInterface $logger
   *   A logger instance.
   */
  public function __construct(ConfigFactoryInterface $config_factory, CacheBackendInterface $cache, ClientInterface $http_client, LoggerInterface $logger) {
    $this->httpClient = $http_client;
    $this->cache = $cache;
    $this->config = $config_factory
      ->get('cloudflare.settings');
    $this->logger = $logger;
    $this->isClientIpRestoreEnabled = $this->config
      ->get(SELF::CLOUDFLARE_CLIENT_IP_RESTORE_ENABLED);
    $this->bypassHost = $this->config
      ->get(SELF::CLOUDFLARE_BYPASS_HOST);
  }

  /**
   * {@inheritdoc}
   */
  public static function getSubscribedEvents() {
    $events[KernelEvents::REQUEST][] = [
      'onRequest',
      20,
    ];
    return $events;
  }

  /**
   * Restores the origination client IP delivered to Drupal from CloudFlare.
   */
  public function onRequest(GetResponseEvent $event) {
    if (!$this->isClientIpRestoreEnabled) {
      return;
    }
    $current_request = $event
      ->getRequest();
    $cf_connecting_ip = $current_request->server
      ->get('HTTP_CF_CONNECTING_IP');
    $has_http_cf_connecting_ip = !empty($cf_connecting_ip);
    $has_bypass_host = !empty($this->bypassHost);
    $client_ip = $current_request
      ->getClientIp();
    $incoming_uri = $current_request
      ->getHost();
    $request_expected_to_bypass_cloudflare = $has_bypass_host && $this->bypassHost == $incoming_uri;
    if ($request_expected_to_bypass_cloudflare) {
      return;
    }
    if (!$has_http_cf_connecting_ip) {
      $message = $this
        ->t("Request came through without being routed through CloudFlare.");
      $this->logger
        ->warning($message);
      return;
    }
    $has_ip_already_changed = $client_ip == $cf_connecting_ip;

    // Some environments may make the alteration for us. In which case no
    // action is required.
    if ($has_ip_already_changed) {
      $url_to_settings = Url::fromRoute('cloudflare.admin_settings_form');
      $link_to_settings = $url_to_settings
        ->getInternalPath();
      $message = $this
        ->t('Request has already been updated.  This functionality should be deactivated. Please go <a href="@link_to_settings">here</a> to disable "Restore Client Ip Address".', [
        '@link_to_settings' => $link_to_settings,
      ]);
      $this->logger
        ->warning($message);
      return;
    }
    $cloudflare_ipranges = $this
      ->getCloudFlareIpRanges();
    $request_originating_from_cloudflare = IpUtils::checkIp($client_ip, $cloudflare_ipranges);
    if ($has_http_cf_connecting_ip && !$request_originating_from_cloudflare) {
      $message = $this
        ->t("Client IP of @client_ip does not match a known CloudFlare IP but there is HTTP_CF_CONNECTING_IP of @cf_connecting_ip.", [
        '@cf_connecting_ip' => $cf_connecting_ip,
        '@client_ip' => $client_ip,
      ]);
      $this->logger
        ->warning($message);
      return;
    }

    // As the changed remote address will make it impossible to determine
    // a trusted proxy, we need to make sure we set the right protocal as well.
    // @see \Symfony\Component\HttpFoundation\Request::isSecure()
    $event
      ->getRequest()->server
      ->set('HTTPS', $event
      ->getRequest()
      ->isSecure() ? 'on' : 'off');
    $event
      ->getRequest()->server
      ->set('REMOTE_ADDR', $cf_connecting_ip);
    $event
      ->getRequest()
      ->overrideGlobals();
  }

  /**
   * Get a list of cloudflare IP Ranges.
   *
   * @return array
   *   Listing of the CloudFlareIP edge server IP ranges
   */
  public function getCloudFlareIpRanges() {
    if ($cache = $this->cache
      ->get(self::CLOUDFLARE_RANGE_KEY)) {
      return $cache->data;
    }
    try {
      $ipv4_raw_listings = trim((string) $this->httpClient
        ->get(SELF::IPV4_ENDPOINTS_URL)
        ->getBody());
      $ipv6_raw_listings = trim((string) $this->httpClient
        ->get(SELF::IPV6_ENDPOINTS_URL)
        ->getBody());
      $iv4_endpoints = explode("\n", $ipv4_raw_listings);
      $iv6_endpoints = explode("\n", $ipv6_raw_listings);
      $cloudflare_ips = array_merge($iv4_endpoints, $iv6_endpoints);
      $cloudflare_ips = array_map('trim', $cloudflare_ips);
      if (empty($cloudflare_ips)) {
        $this->logger
          ->error("Unable to get a listing of CloudFlare IPs.");
        return [];
      }
      $this->cache
        ->set(SELF::CLOUDFLARE_RANGE_KEY, $cloudflare_ips, Cache::PERMANENT);
      return $cloudflare_ips;
    } catch (RequestException $exception) {
      $this->logger
        ->error("Unable to get a listing of CloudFlare IPs. " . $exception
        ->getMessage());
    }
  }

}

Members

Namesort descending Modifiers Type Description Overrides
ClientIpRestore::$cache protected property Cache backend service.
ClientIpRestore::$config protected property The settings configuration.
ClientIpRestore::$httpClient protected property The HTTP client to fetch the feed data with.
ClientIpRestore::$isClientIpRestoreEnabled protected property TRUE/FALSE if client ip restoration enabled.
ClientIpRestore::$logger protected property A logger instance.
ClientIpRestore::CLOUDFLARE_BYPASS_HOST constant
ClientIpRestore::CLOUDFLARE_CLIENT_IP_RESTORE_ENABLED constant
ClientIpRestore::CLOUDFLARE_RANGE_KEY constant
ClientIpRestore::getCloudFlareIpRanges public function Get a list of cloudflare IP Ranges.
ClientIpRestore::getSubscribedEvents public static function Returns an array of event names this subscriber wants to listen to.
ClientIpRestore::IPV4_ENDPOINTS_URL constant
ClientIpRestore::IPV6_ENDPOINTS_URL constant
ClientIpRestore::onRequest public function Restores the origination client IP delivered to Drupal from CloudFlare.
ClientIpRestore::__construct public function Constructs a ClientIpRestore.
StringTranslationTrait::$stringTranslation protected property The string translation service. 1
StringTranslationTrait::formatPlural protected function Formats a string containing a count of items.
StringTranslationTrait::getNumberOfPlurals protected function Returns the number of plurals supported by a given language.
StringTranslationTrait::getStringTranslation protected function Gets the string translation service.
StringTranslationTrait::setStringTranslation public function Sets the string translation service to use. 2
StringTranslationTrait::t protected function Translates a string to the current language or to a given language.