I want to setup a reverse proxy that will work correctly with Discourse. My goal is to mask the real IP address of the server.
What features do I need to buy a server for this?
What should I do for the reverse proxy server and what should I do for the discourse server.
Can you help with the steps to follow?
I couldn’t find an understandable guide for non-professionals like me.
I wish this topic to be a guide for new users.
I ask for your help. Thanks in advance. Respect.
if you expose a port/ip, all traffic for that port will be handled. The only issue you need to resolve is IP forwarding. So you need to customize NGINX to allow for the forwarded IP addresses so it does not look like all traffic is coming from 1 IP, there is a post here on meta covering that.
This is not my area of expertise and nothing comes to mind when I read these topics.
I actually wanted to create a step-by-step guide for this. Both for me and for non-experts like me.
this guide and change the
proxy_pass line to the IP address of the real Discourse installation.
Also remember to add correct
set_real_ip_from directives in the Discourse container for the frontend’s ipv4 and ipv6 addresses. (See cloudflare.template.yml for an example)
Maybe you want cloudflare? I think you may need to make sure that mail doesn’t expose your ip.
Unless you have reason to believe that people hate you or your forum, it’s likely a waste of time.
this guide and change the proxy_pass line to the IP address of the real Discourse installation.
Also remember to add correct set_real_ip_from directives in the Discourse container for the frontend’s ipv4 and ipv6 addresses. (See cloudflare.template.yml for an example)
I will try these. Thanks.
Thanks for your reply. I’m using an external smtp server and a different CDN.
Cloudflare is not enough to hide the IP address. iplogger. It is possible to learn the IP address in tools such as org. I couldn’t see anything in the discourse settings to prevent this. So iplogger. Thanks to a link taken from the org address, it is possible to learn the real IP address of the server at the entry points of the forum.
I’m thinking of using Discourse for a political party. Those with opposing views try too many avenues of attack. I need to build this forum solid.
Here’s what I pictured in my mind;
VPS - (discourse installed- external cdn, external smtp) — > reverse proxy (HAProxy- layer 7 ddos - reverse proxy) — > cloudflare
To stop using HAProxy / Reverse proxy, I need to ban URL in the forum. I don’t know how to prevent this from all inputs.
It should be, if Cloudflare can’t hide it then your reverse proxy also cannot. But it’s possible, so you must have a configuration mistake somewhere. What do you mean with “such as org” ?
My forum has CloudFlare and when inserting a URL from this service, I can get the real IP of my server, this is a big gift for DDoS attacks.
I checked it on the Discourse Meta and this forum don’t have URL-filtration too.
Blocked domain by IPlogger can’t help because the attacker can use a custom domain using the script for logger ip address. I think need use whitelist to filter domain who can use onebox.
Example: if admin allow only url from Youtube, Twitter, Imgur, all other ur…
Actually, I’m talking about the above. A URL can be created with the help of the tool available at “
iplogger.org”. When you take this URL and place it in the thread in the discourse forum, you can learn the real IP address of the server. Because the VPS where discourse is installed is making a direct request to the connection placed inside the topic. This allows the server’s real IP address to be exposed.
In the topic below, it says that a proxy server should be set up for outgoing requests from the server.
Yes you will need to set up a proxy for outgoing traffic on your server this has nothing to do with us.
I wrote it with the help of a translation. Sorry for the typo. My English is not very good.
Also, after putting cloudflare in front of the VPS, the IP address of the server is masked. There is no problem here.
However, the outgoing request from the server shows the ip address. “
https://iplogger.org/” does the job of exposing the IP address very well.
If this is due to misconfiguration it would be great to know how to fix it.
An end-to-end guide will help many people.
please share, i have change many time ip address coz the hacker get my ip from iplogger.
Is it not possible to disable discourse’s parsing of these images/urls that cause the IP leak of the origin server?
Or at least make it so there is a whitelist of a certain set of domains that will be parsed?
From what I understand discourse fetches the link server side to generate the preview. Post a malicious link controlled by attacker, check server access logs, get IP address attack and site go down. Easy peasy
I keep my forum’s server behind cloud flare due to a large amount of attacks against the site. The link previews and emails can leak the server’s backend IP Address. The email issue was resolved by setting up a SMTP relay that strips headers (if the user pulls email headers to get the IP, they get the relay and not the forum’s IP). Is there a way to make the link previews go through a proxy server?
I think you fix it by having your firewall allow connections only from cloudflare servers. This way it will not matter if your ip address is known.
Thanks for your answer. What you say is theoretically correct. But it is not technically correct and sufficient.
How would that protect you if the attacker fakes their origin? Spoofing that kind of thing is trivial.
Oh. Right. I totally forgot spoofing the source IP address for a DDOS attack.
How do I get the outgoing traffic from the VPS to go through CloudFlare?
You need a proxy server for that, not a reverse proxy. You can Google for “free proxy server” to find some, or run something like Squid on a vm that allows ssh only from your ip, perhaps behind a bastion.
I’m not quite sure how to configure discourse to use it, but it might be as simple as setting an env variable.