PHPJunkyard support forum

When submitting a ticket through a system that uses CloudFlare, the IP address ($_SERVER['REMOTE_ADDR']) returns the cloudflare IP that the user connected to and not the actual user's IP, unless their server has the mod_cloudflare Apache module installed. In order to adequately check to see if the user's IP is banned, HESK should check for the IP address returned from the CF-Connecting-IP HTTP header (if it exists), and then $_SERVER['REMOTE_ADDR'].

An alternative would be to instruct users to install the mod_cloudflare Apache module, however some shared hosts may not allow users to do this on their own.

Shouldn't be hard to add.

However, the problem with extra headers is they are extremely easy to fake. If there is a CF-Connecting-IP header present there is no guarantee at all that the request is really from CloudFlare. An attacker on a server not using CloudFlare could easily add an CF-Connecting-IP header (set to a random IP) to the HTTP requests and hide the real IP address.

If it's added it should be added as a optional setting, so it can be enabled manually only on servers that use CF.