How to run concrete5 behind CloudFlare and AWS ELB


This is valid after concrete5.7.

Since implementing Symfony framework, concrete5 is equipped with IP check. If the user changed the originated IP address, concrete5 will log you out.

However, this security measurement doesn’t go well with advanced load balancer such as AWS Elastic Load Balancer or CloudFlare.

From concrete5’s POV, it can only see the IP addresses of the load balancer ($_SERVER[‘REMOTE_ADDR’] to be exact). Because the balancer’s IP address will constantly be changing, concrete5 (Symfony framework) think your ID&PW may be stolen and log you out.

First, you must make sure that the security group of EC2 server is only allowing the incoming access from ELB.

You will get the symptom that you can login to concrete5 welcome page, but you cannot go further, but forced to be logged out on the next page because concrete5 think you’re hacker because you are accessing through via different “proxy” server.

You need to tell concrete5 that those IP address are trusted by placing the following code onto /application/config/concrete.php

(Special thanks to Brendon Green for correction!)

 

For CloudFlare

This is the sample script of CloudFlare for /application/config/concrete.php. CloudFlare may change their IP addresses. You should keep checking their IP addresses.

 

<?php
/**
 * Always trust incoming request.
 * 
 * For more detail, see: http://symfony.com/doc/current/cookbook/request/load_balancer_reverse_proxy.html
 */
// Get remote address
// For AWS, take a look at https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
// CloudFlare IPs Sample are below https://www.cloudflare.com/ips/
$remoteIp = [
    "103.21.244.0/22",
    "103.22.200.0/22",
    "103.31.4.0/22",
    "104.16.0.0/12",
    "108.162.192.0/18",
    "131.0.72.0/22",
    "141.101.64.0/18",
    "162.158.0.0/15",
    "172.64.0.0/13",
    "173.245.48.0/20",
    "188.114.96.0/20",
    "190.93.240.0/20",
    "197.234.240.0/22",
    "198.41.128.0/17",
];

return [
    'security' => [
        'trusted_proxies' =>[
            'ips' => $remoteIp,
        ],
    ],
];

 

For AWS ELB

AWS has multiple regions, thus, IP range varies. Get your region’s IP range onto /application/config/concrete.php

 

<?php
/**
 * Always trust incoming request.
 * 
 * For more detail, see: http://symfony.com/doc/current/cookbook/request/load_balancer_reverse_proxy.html
 */
// Get remote address
// For AWS, take a look at https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
// CloudFlare IPs Sample are below https://www.cloudflare.com/ips/
$remoteIp = [
    "xxx.xxx.xxx.xxx/xx", // List IP range of your AWS region.
];

return [
    'security' => [
        'trusted_proxies' =>[
            'ips' => $remoteIp,
        ],
    ],
];

 

 

 

It should resolve the issue.