problem with rewritten IP

[happysalada]

even though I get the right IP in the "x-forwarded-for" header, the remote IP is not rewritten properly. Maybe an additional header is problematic here? (I'm behind cloudfllare)
Here is what I get
remote_ip is {10, 255, 0, 2}
forwarded IP, 197.245.12.24

Here is my config (I just took this from somebody else using cloudflare)

    # https://github.com/ajvondrak/remote_ip/issues/6
    plug(RemoteIp,
      headers: ~w(forwarded x-forwarded-for x-client-ip x-real-ip cf-connecting-ip),
      proxies:
        ~w(103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 2400:cb00::/32 2405:b500::/32 2606:4700::/32 2803:f800::/32 2c0f:f248::/32 2a06:98c0::/29)
    )

am I missing something?

[ajvondrak]

It really just depends on what the headers of your request look like. Once you know that, tracing through the algorithm will tell you how RemoteIp came to its conclusion. That's the easier part: the harder part is knowing which layers in your system added which headers and when. Off the top of my head, it could be that the multiple headers are being parsed in an order that doesn't preserve the "hops" correctly (which, to be fair, is kind of impossible for RemoteIp to detect, AFAICT).

Logging could help (like I said in #6). Really, I should just wire up logging statements in the RemoteIp code so users can easily trace its execution when they're debugging their setups like this. 🤔

[happysalada]

I managed to make it work. My problem was that I was using this outside of the normal plug, inside the error_handler in the router.
(I wanted to see the IPs of all the bots that are just scanning for vulnerable routes on my servers)
(unfortunately I found out that these bots are not sending any IP headers at all, so in the end, no way to catch and block these offenders)
Thanks for taking the time to respond to this!