From 67313b79e64429be743f6233697a4ec7d0a6f223 Mon Sep 17 00:00:00 2001
From: Denis Ndwiga <lafama@users.noreply.github.com>
Date: Sat, 7 Feb 2015 21:06:33 +0300
Subject: [PATCH 1/2] Update ipfilter.js

Allow the retrieval of connecting client Ip address if cloudflare is being using
---
 lib/ipfilter.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/ipfilter.js b/lib/ipfilter.js
index dcba282..a6cb427 100644
--- a/lib/ipfilter.js
+++ b/lib/ipfilter.js
@@ -60,6 +60,8 @@ module.exports = function ipfilter(ips, opts) {
         var ipAddress;
 
         var forwardedIpsStr = req.headers['x-forwarded-for'];
+        //Allow getting cloudflare connecting client IP
+        var cloudFlareConnectingIp=req.headers['cf-connecting-ip'];
 
         if (forwardedIpsStr) {
             var forwardedIps = forwardedIpsStr.split(',');
@@ -69,6 +71,9 @@ module.exports = function ipfilter(ips, opts) {
         if (!ipAddress) {
             ipAddress = req.connection.remoteAddress;
         }
+        if(cloudFlareConnectingIp!=undefined){
+            ipAddress=cloudFlareConnectingIp;
+        }
 
         if(!ipAddress){
             return '';

From c615cf29c6c5ba26403362551599636b3876e7bb Mon Sep 17 00:00:00 2001
From: ndwiga <ndwiga@chika.co>
Date: Tue, 10 Feb 2015 01:08:12 +0300
Subject: [PATCH 2/2] Added CloudFlare header tests

---
 test.js | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/test.js b/test.js
index d45713d..0a30017 100644
--- a/test.js
+++ b/test.js
@@ -571,3 +571,69 @@ describe('an array of cidr blocks',function(){
         });
     });
 });
+
+//CloudFlare Tests
+describe('enforcing cloudflare based client IP address blacklist restrictions', function(){
+
+    beforeEach(function(){
+        this.ipfilter = ipfilter([ '127.0.0.1' ], { log: false });
+        this.req = {
+            session: {},
+            headers: [],
+            connection: {
+                remoteAddress: ''
+            }
+        };
+    });
+
+    it('should allow all non-blacklisted forwarded ips', function( done ){
+        this.req.headers['cf-connecting-ip'] = '127.0.0.2';
+        this.ipfilter( this.req, {}, function(){
+            done();
+        });
+    });
+
+    it('should deny all blacklisted forwarded ips', function( done ){
+        this.req.headers['cf-connecting-ip'] = '127.0.0.1';
+        var res = {
+            end: function(){
+                assert.equal( 401, res.statusCode );
+                done();
+            }
+        };
+
+        this.ipfilter( this.req, res, function(){});
+    });
+
+});
+describe('enforcing cloudflare based client IP address whitelist restrictions', function(){
+    beforeEach(function(){
+        this.ipfilter = ipfilter([ '127.0.0.1' ], { log: false, mode: 'allow' });
+        this.req = {
+            session: {},
+            headers: [],
+            connection: {
+                remoteAddress: ''
+            }
+        };
+    });
+
+    it('should allow whitelisted forwarded ips', function( done ){
+        this.req.headers['cf-connecting-ip'] = '127.0.0.1';
+        this.ipfilter( this.req, {}, function(){
+            done();
+        });
+    });
+    it('should deny all non-whitelisted forwarded ips', function( done ){
+        this.req.headers['cf-connecting-ip'] = '127.0.0.2';
+        var res = {
+            end: function(){
+                assert.equal( 401, res.statusCode );
+                done();
+            }
+        };
+
+        this.ipfilter( this.req, res, function(){});
+    });
+
+})
\ No newline at end of file