Laravel Cloudflare Laravel Package

Product Decisions This Supports

• Build vs. Buy: Buy – Eliminates the need to manually maintain Cloudflare IP lists, reducing DevOps overhead and ensuring compliance with Laravel’s trusted proxy requirements.
• Security & Compliance: Automatically trust Cloudflare IPs for accurate request IP detection, critical for:
  • Geo-blocking (e.g., GDPR compliance).
  • Rate-limiting (e.g., preventing abuse via Cloudflare IPs).
  • IP-based analytics (e.g., accurate user location tracking).
• Scalability: Supports dynamic IP updates (via scheduled cache refreshes) without downtime, ideal for high-traffic Laravel apps behind Cloudflare.
• Roadmap Alignment:
  • Phase 1: Integrate into existing Laravel apps to replace manual IP whitelisting.
  • Phase 2: Extend to microservices (e.g., API gateways) using the same middleware pattern.
  • Phase 3: Add Cloudflare-specific features (e.g., Cf-Connecting-Ip header support for true client IP resolution).
• Use Cases:
  • E-commerce: Prevent fraud by trusting Cloudflare’s IP ranges for payment processing.
  • SaaS: Ensure accurate user IP logging for support/troubleshooting.
  • APIs: Secure internal services behind Cloudflare with minimal configuration.

When to Consider This Package

Adopt this package if:

• Your Laravel app is behind Cloudflare (e.g., using Cloudflare’s proxy or DNS-only mode with proxy enabled).
• You need automated IP trust management to avoid manual updates when Cloudflare changes its IP ranges.
• Your app relies on $request->ip() or $request->user()->ip() for critical logic (e.g., geo-restrictions, logging).
• You’re using Laravel 8.54+ (or 7–12 with compatible versions) and PHP 8.1+ (or 7.4–8.2 for older versions).
• You want to replace TrustProxies middleware with a Cloudflare-specific solution that handles IP updates transparently.

Look elsewhere if:

• You’re not using Cloudflare (e.g., using AWS CloudFront, Nginx, or no CDN).
• Your app uses custom proxy logic that conflicts with Laravel’s TrustProxies behavior.
• You need real-time IP validation (this package caches IPs; use Cloudflare’s API directly for live checks).
• You’re on Laravel <7.0 or PHP <7.4 (use legacy versions or migrate).
• You require fine-grained IP filtering (e.g., excluding specific Cloudflare IPs); consider a custom middleware.

How to Pitch It (Stakeholders)

For Executives: "This package automates Cloudflare IP trust management in Laravel, reducing security risks and DevOps costs. By replacing manual IP whitelisting with a self-updating system, we eliminate errors from stale IP lists and ensure compliance with geo-restrictions or rate-limiting rules. It’s a 10-minute setup that future-proofs our infrastructure against Cloudflare’s IP changes—no more fire drills when they rotate IPs. For [use case: e.g., ‘our EU customer base’], this ensures accurate IP-based access controls without manual intervention."

For Engineering: *"This is a drop-in replacement for Laravel’s TrustProxies middleware, but optimized for Cloudflare. Key benefits:

• Zero maintenance: Cloudflare IPs are cached and refreshed automatically (daily via cron).
• Accurate IPs: Uses Cloudflare’s official IP ranges, not third-party lists.
• Flexible: Supports custom proxy callbacks (e.g., for hybrid setups) and Laravel 8–13.
• Performance: Lightweight (~50KB) with no external dependencies (uses Laravel’s HTTP client). Implementation: Replace TrustProxies in bootstrap/app.php, add a cron job for cache refreshes, and optionally publish the config for tuning. Tests show it’s battle-tested across Laravel versions."*

For Security/Compliance: *"This ensures our Laravel apps correctly identify client IPs behind Cloudflare, which is critical for:

• GDPR/CCPA compliance: Accurate user location data for data subject requests.
• Fraud prevention: Trusting only Cloudflare’s IPs for payment processing or API access.
• Audit trails: Reliable IP logging for forensic investigations. The package’s MIT license and active maintenance (last update: March 2026) align with our risk tolerance."*