DEV Community

Cover image for Concrete CMS + Cloudflare: How to fix logging out problem
Katz Ueno
Katz Ueno

Posted on • Edited on

Concrete CMS + Cloudflare: How to fix logging out problem

You have a Concrete CMS website and using Cloudflare. When you enable DNS proxy of Cloudflare, your Concrete CMS website started to log out frequently and became uneditable.

The reason why you get logged out

It's because Concrete CMS (Symfony framework) thinks you maybe compromised because your IP keeps changing.

Concrete CMS is built with Symfony framework. Symfony framework has security measurement to monitor user's session and IP address.

If user's IP address changes but the user session is the same, Symfony thinks that user session was hijacked and Symfony invalidates the session (log you out).

Cloudflare in the middle of web server

Why?

When you enable Cloudflare's DNS proxy mode, your traffic start to go through Cloudflare servers, then reaches Concrete CMS server.

Now, your Concrete CMS server see Cloudflare's IP as user's IP address instead of your IP address.

Since Cloudflare has so many edge locations, you often access to different edges every time you access your site.

Which means that Concrete CMS sees the same user is accessed from different IP request after request.

Symfony's trusted_proxy setting

But here is a good news. Symfony is already providing the solution.

You can set the range of Cloudflare's IP range.

Once you set the proxy address, the PHP application start to respect X-Forwarded-For header.

When the traffic go through Cloudflare, the Cloudflare embed the header called X-Forwarded-For which include the original user's IP address.

For more detail info you can read Symfony documentation: How to Configure Symfony to Work behind a Load Balancer or a Reverse Proxy

I will skip why Symfony does it but it's very important security measurement.

How to set-up Concrete CMS.

Anyway, where is Cloudflare's IPs?

Of course, Cloudflare provides its IP ranges at their own IP page.

You set these IP ranges to Concrete CMS.

Concrete CMS of course has Trusted Proxy config.

It can set it up via dashboard or CLI add-on.

Dashboard way

Here is the steps.

Concrete CMS trusted proxy setting page

  • Disable Cloudflare DNS proxy for a moment
  • Log-in to Concrete CMS as an admin
  • Visit System and Settings
  • Go to Permission and Access - Trusted Proxy page
  • Enter the Cloudflare's IP range in the text box and save
  • Enable Cloudflare DNS proxy and test if it works.
  • Come back to visit Cloudflare's IP Range page and update the trusted proxies.

Concrete CMS: Cloudflare Proxy add-on

The above trusted proxy way is a bit troublesome since you may need to check periodically. (Although Cloudflare seems to update IP range once every other year or less frequent.)

Good news is that Cloudflare offers simple text pages of IP ranges. ( IPv4 & IPv6 )

Then Concrete CMS has an add-on to update the IP range via those page, called Cloudflare Proxy add-on.

It is CLI based add-on.

  • Visit the github page
  • Download the zip file
  • Rename the folder as cloudflare_proxy
  • Run composer install in the cloudflare_proxy
  • Upload or deploy the package folder to Concrete CMS's packages folder
  • Install the package via dashboard or CLI
  • Set-up cron to run the following command periodically.

How to update the list

The command to run is

Concrete CMS v9



[path/to/]concrete/bin/concrete cf:ip:update


Enter fullscreen mode Exit fullscreen mode

Concrete CMS v8



[path/to/]concrete/bin/concrete5 cf:ip:update


Enter fullscreen mode Exit fullscreen mode

Then the package fetch the current IP range and update it.

If you would like to see the current IP list

Find out the list

Concrete CMS v9



[path/to/]concrete/bin/concrete cf:ip:list


Enter fullscreen mode Exit fullscreen mode

Concrete CMS v8



[path/to/]concrete/bin/concrete5 cf:ip:list


Enter fullscreen mode Exit fullscreen mode

Cron sample

The following is the crontab sample. It is to run at 1am everyday. It is different if you setup at /etc/crontab or systemd timer.

You may need to set php path in cron.

Concrete CMS V9 and later



0  1  *  *  * (user) [path/to/]concrete/bin/concrete cf:ip:update


Enter fullscreen mode Exit fullscreen mode

Concrete CMS V8



0  1  *  *  * (user) [path/to/]concrete/bin/concrete5 cf:ip:update


Enter fullscreen mode Exit fullscreen mode

Anyway, this should solve the troublesomeness.

Conclusion

If you cannot figure out Cloudflare proxy add-on, juat set-it up at trusted proxy page via dashboard.

Cloudflare doesn't update the IP often, anywa.

If your Concrete CMS doesn't accept public user login, you just need to update when the user starts to complain that they started to get logged out. That's when you need to check Cloudflare IP page and update the trusted proxy IP. :p

By the way, this also applies to Concrete CMS environment with CloudFront and/or ELB. You will set-up IP range of those.

Top comments (0)