[GH-ISSUE #905] Prefer Cloudflare IP header instead of X-Forwarded-For #639

New issue

Closed

opened 2026-05-07 00:26:10 +02:00 by BreizhHardware · 9 comments

BreizhHardware commented 2026-05-07 00:26:10 +02:00

Owner

Copy link

Originally created by @ChokunPlayZ on GitHub (Oct 1, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/905

💡 Idea
I think there's not many configs like mine where the setup involves multiple reverse proxy (in my case NGINX and Cloudflare)
the current "behind proxy" setting cause issue because
NGINX attach 2 IP in the forwarded for header, ntfy always prefer the wrong one (the last one)
instead there's the Cloudflare's Cf-Connecting-Ip which is more accurate than the X-Forwarded-For header
it would be great if this could be added

or an alternative fix, if there is multiple IP in the X-Forwarded-For header always prefer the public IP over private ones
because in my case here's how the header looks like: X-Forwarded-For: <mypublicip>, 172.17.0.1(docker)

💻 Target components
ntfy server

Originally created by @ChokunPlayZ on GitHub (Oct 1, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/905 :bulb: **Idea** I think there's not many configs like mine where the setup involves multiple reverse proxy (in my case NGINX and Cloudflare) the current "behind proxy" setting cause issue because NGINX attach 2 IP in the forwarded for header, ntfy always prefer the wrong one (the last one) instead there's the Cloudflare's `Cf-Connecting-Ip` which is more accurate than the `X-Forwarded-For` header it would be great if this could be added or an alternative fix, if there is multiple IP in the `X-Forwarded-For` header always prefer the public IP over private ones because in my case here's how the header looks like: `X-Forwarded-For: <mypublicip>, 172.17.0.1(docker)` :computer: **Target components** ntfy server

BreizhHardware 2026-05-07 00:26:10 +02:00

• closed this issue
• added the
  enhancement
  server
  labels

BreizhHardware commented 2026-05-07 00:26:11 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Nov 18, 2023):

I understand that the X-Forwarded-For handling is rudimentary. ntfy picks the rightmost address, since that is the most secure way to pick a trustworthy address. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For for details.

To implement a proper X-Forwarded-For handling, we'd need to be able to configure a list of trustworthy proxies, e.g. proxies: 172.17.0.1. These proxies would be ignored in the selection of the IP address.

Adding a vendor-specific header like Cf-Connecting-Ip doesn't seem like a great idea, IMHO.

<!-- gh-comment-id:1817304272 --> @binwiederhier commented on GitHub (Nov 18, 2023): I understand that the X-Forwarded-For handling is rudimentary. ntfy picks the rightmost address, since that is the most secure way to pick a trustworthy address. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For for details. To implement a proper X-Forwarded-For handling, we'd need to be able to configure a list of trustworthy proxies, e.g. `proxies: 172.17.0.1`. These proxies would be ignored in the selection of the IP address. Adding a vendor-specific header like `Cf-Connecting-Ip` doesn't seem like a great idea, IMHO.

BreizhHardware commented 2026-05-07 00:26:11 +02:00

Author

Owner

Copy link

@hipur commented on GitHub (Nov 8, 2024):

Maybe X-Real-IP could be beneficial, since it's easier to overwrite without reverse proxies adding another IP to the right. e.g.: traefik

<!-- gh-comment-id:2465881869 --> @hipur commented on GitHub (Nov 8, 2024): Maybe X-Real-IP could be beneficial, since it's easier to overwrite without reverse proxies adding another IP to the right. e.g.: traefik

BreizhHardware commented 2026-05-07 00:26:11 +02:00

Author

Owner

Copy link

@ojio-san commented on GitHub (Dec 29, 2024):

Hello there,

I'm sorry to revive such an old topic, but this issue is open, so I would like to add something to this, as I have multiple proxies there, so I have the same issue as @ChokunPlayZ

@binwiederhier

I understand that the X-Forwarded-For handling is rudimentary. ntfy picks the rightmost address, since that is the most secure way to pick a trustworthy address. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For for details.

I would like to know where did you find that the rightmost address is the most secure way and the trustworthy address ?

If I'm reading right here : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#client

This means that the rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the address of the originating client

So, if we get the rightmost address, we always get the proxy, not the client, because "the leftmost IP address is the address of the originating client", right ?

In that case, the visitor_ip is always the last proxy IP and not the client IP; I don't think that's the expected behaviour.

ntfy-857c5c874d-x5mvp 2024/12/29 09:57:50 DEBUG HTTP request finished (http_method=GET, http_path=/, tag=http, time_taken_ms=0, visitor_auth_limiter_limit=0.016666666666666666, visitor_auth_limiter_tokens=3 │
│ 0, visitor_id=ip:2a03:123:456:789::123, visitor_ip=2a03:123:456:789::123, visitor_messages=0, visitor_messages_limit=17280, visitor_messages_remaining=17280, visitor_request_limiter_limit=0.2, visitor_reque │
│ st_limiter_tokens=60, visitor_seen=2024-12-29T08:57:50.115+01:00) 

Thank you, have a nice day :)

<!-- gh-comment-id:2564658251 --> @ojio-san commented on GitHub (Dec 29, 2024): Hello there, I'm sorry to revive such an old topic, but this issue is open, so I would like to add something to this, as I have multiple proxies there, so I have the same issue as @ChokunPlayZ @binwiederhier > I understand that the X-Forwarded-For handling is rudimentary. ntfy picks the rightmost address, since that is the most secure way to pick a trustworthy address. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For for details. I would like to know where did you find that the rightmost address is the most secure way and the trustworthy address ? If I'm reading right here : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#client `This means that the rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the address of the originating client` So, if we get the rightmost address, we always get the proxy, not the client, because "the leftmost IP address is the address of the originating client", right ? In that case, the `visitor_ip` is always the last proxy IP and not the client IP; I don't think that's the expected behaviour. ``` ntfy-857c5c874d-x5mvp 2024/12/29 09:57:50 DEBUG HTTP request finished (http_method=GET, http_path=/, tag=http, time_taken_ms=0, visitor_auth_limiter_limit=0.016666666666666666, visitor_auth_limiter_tokens=3 │ │ 0, visitor_id=ip:2a03:123:456:789::123, visitor_ip=2a03:123:456:789::123, visitor_messages=0, visitor_messages_limit=17280, visitor_messages_remaining=17280, visitor_request_limiter_limit=0.2, visitor_reque │ │ st_limiter_tokens=60, visitor_seen=2024-12-29T08:57:50.115+01:00) ``` Thank you, have a nice day :)

BreizhHardware commented 2026-05-07 00:26:11 +02:00

Author

Owner

Copy link

@pixitha commented on GitHub (Jan 2, 2025):

I just ran across this issue when I was deploying ntfy on Fly.io, which uses a customer header name like Cloudflare does. Right now with behind-proxy: true, I just get the Fly.io proxy IP, not the true client ip.

So I think that there are 2 issues here: picking the incorrect XFF client IP from the list and the lack of support for multiple/alternate header names.

It would be great if setting behind proxy to true, would also enable the option to set which header to look at for the client IP? (cloudflare/fly.io/aws/gcp all have customer header names to store client ip securely)
OR
if you could configured a trusted proxy subnet or IP so that looking at the XFF IP list, you could know to ignore the far right address if its "internal" (This is what Apache Tomcat does)

Example Image to help visualize the possible problem:

ref: https://www.stackhawk.com/blog/do-you-trust-your-x-forwarded-for-header/

In this diagram, picking the right most IP, would always be the first proxy, but really we should be picking n-1 if there are more than 1 IPs in the list?

<!-- gh-comment-id:2567246018 --> @pixitha commented on GitHub (Jan 2, 2025): I just ran across this issue when I was deploying ntfy on Fly.io, which uses a customer header name like Cloudflare does. Right now with behind-proxy: true, I just get the Fly.io proxy IP, not the true client ip. So I think that there are 2 issues here: picking the incorrect XFF client IP from the list and the lack of support for multiple/alternate header names. It would be great if setting behind proxy to true, would also enable the option to set which header to look at for the client IP? (cloudflare/fly.io/aws/gcp all have customer header names to store client ip securely) OR if you could configured a trusted proxy subnet or IP so that looking at the XFF IP list, you could know to ignore the far right address if its "internal" (This is what [Apache Tomcat](https://github.com/apache/tomcat/blob/c3511b1baf7defc57923fce7e12b5e6b392c68c5/java/org/apache/catalina/filters/RemoteIpFilter.java#L788-L800) does) Example Image to help visualize the possible problem:  ref: https://www.stackhawk.com/blog/do-you-trust-your-x-forwarded-for-header/ In this diagram, picking the right most IP, would always be the first proxy, but really we should be picking n-1 if there are more than 1 IPs in the list?

BreizhHardware commented 2026-05-07 00:26:12 +02:00

Author

Owner

Copy link

@pixitha commented on GitHub (Jan 6, 2025):

I'm working on a PR for this, here is an example running in fly.io:

2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Starting IP extraction (http_method=GET, http_path=/config.js, tag=http)

2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG RemoteAddr: 172.16.13.122:52970 (http_method=GET, http_path=/config.js, tag=http)

2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Initial IP after RemoteAddr parsing: 172.16.13.122 (http_method=GET, http_path=/config.js, tag=http)

2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Using ProxyClientIPHeader: Fly-Client-IP (http_method=GET, http_path=/config.js, tag=http)

2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Custom header Fly-Client-IP value: 76.123.x.x(http_method=GET, http_path=/config.js, tag=http)

2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Successfully parsed IP from custom header: 76.123.x.x(http_method=GET, http_path=/config.js, tag=http)

2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Final resolved IP: 76.123.x.x(http_method=GET, http_path=/config.js, tag=http)

2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG HTTP request started (http_method=GET, http_path=/config.js, tag=http, visitor_auth_limiter_limit=0.016666666666666666, visitor_auth_limiter_tokens=30, visitor_id=ip:76.123.x.x, visitor_ip=76.123.x.x, visitor_messages=0, visitor_messages_limit=17280, visitor_messages_remaining=17280, visitor_request_limiter_limit=0.2, visitor_request_limiter_tokens=60, visitor_seen=2025-01-06T02:17:30.514Z)

<!-- gh-comment-id:2572082721 --> @pixitha commented on GitHub (Jan 6, 2025): I'm working on a PR for this, here is an example running in fly.io: ``` 2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Starting IP extraction (http_method=GET, http_path=/config.js, tag=http) 2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG RemoteAddr: 172.16.13.122:52970 (http_method=GET, http_path=/config.js, tag=http) 2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Initial IP after RemoteAddr parsing: 172.16.13.122 (http_method=GET, http_path=/config.js, tag=http) 2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Using ProxyClientIPHeader: Fly-Client-IP (http_method=GET, http_path=/config.js, tag=http) 2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Custom header Fly-Client-IP value: 76.123.x.x(http_method=GET, http_path=/config.js, tag=http) 2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Successfully parsed IP from custom header: 76.123.x.x(http_method=GET, http_path=/config.js, tag=http) 2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG Final resolved IP: 76.123.x.x(http_method=GET, http_path=/config.js, tag=http) 2025-01-06T02:17:30.515 app[28669d] den [info] 2025/01/06 02:17:30 DEBUG HTTP request started (http_method=GET, http_path=/config.js, tag=http, visitor_auth_limiter_limit=0.016666666666666666, visitor_auth_limiter_tokens=30, visitor_id=ip:76.123.x.x, visitor_ip=76.123.x.x, visitor_messages=0, visitor_messages_limit=17280, visitor_messages_remaining=17280, visitor_request_limiter_limit=0.2, visitor_request_limiter_tokens=60, visitor_seen=2025-01-06T02:17:30.514Z) ```

BreizhHardware commented 2026-05-07 00:26:12 +02:00

Author

Owner

Copy link

@sr7142x commented on GitHub (Jan 21, 2025):

@pixitha I have the exact problem and your changes looks promising.

<!-- gh-comment-id:2605268654 --> @sr7142x commented on GitHub (Jan 21, 2025): @pixitha I have the exact problem and your changes looks promising.

BreizhHardware commented 2026-05-07 00:26:12 +02:00

Author

Owner

Copy link

@ojio-san commented on GitHub (Jan 29, 2025):

I'm also looking forward @pixitha PR merged on master !
@binwiederhier : is it possible to check https://github.com/binwiederhier/ntfy/pull/1252 ?
Thank you :)

<!-- gh-comment-id:2622135007 --> @ojio-san commented on GitHub (Jan 29, 2025): I'm also looking forward @pixitha PR merged on master ! @binwiederhier : is it possible to check https://github.com/binwiederhier/ntfy/pull/1252 ? Thank you :)

BreizhHardware commented 2026-05-07 00:26:12 +02:00

Author

Owner

Copy link

@ojio-san commented on GitHub (Nov 20, 2025):

It's a bit late, but it's working fine for me with this

behind-proxy: true
proxy-forwarded-header: "X-Your-Header-With-The-Real-Client-IP"
proxy-trusted-hosts: "1.2.3.4,5.6.7.8,2001:db8:3333:4444:5555:6666:7777:8888"

Thank you

<!-- gh-comment-id:3556722947 --> @ojio-san commented on GitHub (Nov 20, 2025): It's a bit late, but it's working fine for me with this ``` behind-proxy: true proxy-forwarded-header: "X-Your-Header-With-The-Real-Client-IP" proxy-trusted-hosts: "1.2.3.4,5.6.7.8,2001:db8:3333:4444:5555:6666:7777:8888" ``` Thank you

BreizhHardware commented 2026-05-07 00:26:12 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Nov 20, 2025):

Yes, this has been released a while ago. https://docs.ntfy.sh/config/#behind-a-proxy-tls-etc

<!-- gh-comment-id:3557243525 --> @binwiederhier commented on GitHub (Nov 20, 2025): Yes, this has been released a while ago. https://docs.ntfy.sh/config/#behind-a-proxy-tls-etc

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#639

No description provided.