IP Banlist behind Cloudflare #1552

PeeBeerBeach · 2024-03-02T08:47:27Z

PeeBeerBeach
Mar 2, 2024

I wonder if anyone managed to get the IP banlist to work correctly behind cloudflare as proxy (zero trust).
The problem is that cloudflare will only pass on the cloudflare proxy IP to SFTPGO but not the originating visitors IP.
That makes IP banning pretty much unusable.

Here is a cloudflare documentation that explains how to pass on the originating visitors IP to an application: https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

I have honestly no big clue if there is any way to integrate this into SFTPGO.

tomwiggers · 2025-10-15T12:32:03Z

tomwiggers
Oct 15, 2025

We also had to figure this out, but turns it is pretty simple. To maybe/hopefully help some others:

I don't know whether these configuration options existed at the time this question asked, but now it is possible now to specify which header SFTPGo should look at to retrieve the original client IP and from which source IP(s) this header should be trusted using the options client_ip_proxy_header and proxy_allowed in the HTTP server binding configuration.

In the case of Cloudflare, it passes on the CF-Connecting-IP HTTP header containing the original client IP so this header should be configured as client_ip_proxy_header. As for proxy_allowed, Cloudflare publishes lists of all their IPv4 and IPv6 address which can be added to this configuration: https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6. However we run SFTPGo in Kubernetes and also needed to add the (internal) IP (range) of the Kubernetes load balancers as they pass on the header from Cloudflare to SFTPGo and SFTPGo needs to trust those too.

0 replies

PeeBeerBeach · 2025-11-16T12:06:20Z

PeeBeerBeach
Nov 16, 2025
Author

Thanks but if i get you right, this is not really what i want to do. Your answer relates to allowing certain IPs as allowed for the originating proxy and disallowing all others.

What i want to achieve is to get the originating client IP passed through to my SFTPGO so i can use it for a dynamic banning (e.g. 3x times wrong password).

0 replies

fostermi · 2025-11-19T23:55:55Z

fostermi
Nov 19, 2025

@tomwiggers answer is what you're looking for.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

IP Banlist behind Cloudflare #1552

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

IP Banlist behind Cloudflare #1552

Uh oh!

PeeBeerBeach Mar 2, 2024

Replies: 3 comments

Uh oh!

Uh oh!

tomwiggers Oct 15, 2025

Uh oh!

PeeBeerBeach Nov 16, 2025 Author

Uh oh!

fostermi Nov 19, 2025

PeeBeerBeach
Mar 2, 2024

tomwiggers
Oct 15, 2025

PeeBeerBeach
Nov 16, 2025
Author

fostermi
Nov 19, 2025