How to run concrete5 behind CloudFlare and AWS ELB

This is valid after concrete5.7.

Since implementing Symfony framework, concrete5 is equipped with IP check. If the user changed the originated IP address, concrete5 will log you out.

However, this security measurement doesn’t go well with advanced load balancer such as AWS Elastic Load Balancer or CloudFlare.

From concrete5’s POV, it can only see the IP addresses of the load balancer ($_SERVER[‘REMOTE_ADDR’] to be exact). Because the balancer’s IP address will constantly be changing, concrete5 (Symfony framework) think your ID&PW may be stolen and log you out.

First, you must make sure that the security group of EC2 server is only allowing the incoming access from ELB.

You will get the symptom that you can login to concrete5 welcome page, but you cannot go further, but forced to be logged out on the next page because concrete5 think you’re hacker because you are accessing through via different “proxy” server.

You need to tell concrete5 that those IP address are trusted by placing the following code onto /application/config/concrete.php

(Special thanks to Brendon Green for correction!)

 

For CloudFlare

This is the sample script of CloudFlare for /application/config/concrete.php. CloudFlare may change their IP addresses. You should keep checking their IP addresses.

 

<?php
/**
 * Always trust incoming request.
 * 
 * For more detail, see: http://symfony.com/doc/current/cookbook/request/load_balancer_reverse_proxy.html
 */
// Get remote address
// For AWS, take a look at https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
// CloudFlare IPs Sample are below https://www.cloudflare.com/ips/
$remoteIp = [
    "103.21.244.0/22",
    "103.22.200.0/22",
    "103.31.4.0/22",
    "104.16.0.0/12",
    "108.162.192.0/18",
    "131.0.72.0/22",
    "141.101.64.0/18",
    "162.158.0.0/15",
    "172.64.0.0/13",
    "173.245.48.0/20",
    "188.114.96.0/20",
    "190.93.240.0/20",
    "197.234.240.0/22",
    "198.41.128.0/17",
];

return [
    'security' => [
        'trusted_proxies' =>[
            'ips' => $remoteIp,
        ],
    ],
];

 

For AWS ELB

AWS has multiple regions, thus, IP range varies. Get your region’s IP range onto /application/config/concrete.php

 

<?php
/**
 * Always trust incoming request.
 * 
 * For more detail, see: http://symfony.com/doc/current/cookbook/request/load_balancer_reverse_proxy.html
 */
// Get remote address
// For AWS, take a look at https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
// CloudFlare IPs Sample are below https://www.cloudflare.com/ips/
$remoteIp = [
    "xxx.xxx.xxx.xxx/xx", // List IP range of your AWS region.
];

return [
    'security' => [
        'trusted_proxies' =>[
            'ips' => $remoteIp,
        ],
    ],
];

 

 

 

It should resolve the issue.

 

  • Brendon Green

    If using this solution as-is, please ensure that _only_ traffic from your trusted reverse proxy or load balancer can reach your server. If the server is open to any direct traffic, any visitor will be able to spoof their identity by sending an X-FORWARDED-FOR header.

    If at all possible, you should explicitly list the IP ranges used by the reverse proxy or load balancer.

    • Thx!
      Yes. I now agree.
      (I’ve learned a lot since posting this blog.)

      I will make some correction to the post.
      Thank you very much for reminding me.

    • Hi, I’ve just changed & added CloudFlare IPs as trusted proxy as an example.
      Thanks alot.