Adding X-Forwarded-For header doesn't work

glace · September 12, 2023, 2:41pm

Hello,

It’s been a day that I’m trying to add the X-Forwarded-For header, but I’m almost giving up

I’ve tried many things like adding a transform rule with X-Forwarded-For in header name and {http.request.header.CF-Connecting-IP} in value…

I’ve also tried CF-Connecting-IP in value and {CF-Connecting-IP}…

But what I get in my browser is x-forwarded-for: {http.request.header.CF-Connecting-IP}

Which means I get the value I entered, but not the IP address which is what I’m trying to get…

Do you have any idea?

Thanks in advance

cbrandt · September 12, 2023, 4:26pm

Hello,

Cloudflare already adds this header for you: Cloudflare HTTP request headers · Cloudflare Fundamentals docs

To manipulate a request header using Transform Rules, you’d need to use this syntax:

Header Name: My-Header
Header Value: http.request.headers["header-name"][0]

However, CF-Connecting-IP is not part of the visitor’s request, but it’s added by Cloudflare at the edge. Therefore it doesn’t seem to be available as part of the http.request.headers field. I’m not sure if there’s another field that contains its value.

In your browser you’d only see response headers. If you want to see what these fields contain on a test basis, you could create headers on your origin that echo back their content.

glace · September 12, 2023, 4:39pm

Hey,

Thank you so much for your answer!

Are you sure that x forwarded for is really added?

Because on all my pages I got this error: Warning: Undefined array key “HTTP_X_FORWARDED_FOR”

I asked chatgpt and he told me that it happens if there is no x forwarded for header, do you know how I could test that?

(Sorry if you already replied to this answer, I really have a hard time understanding all of that haha)

Thanks in advance!

cbrandt · September 12, 2023, 4:58pm

There’s a Managed Transform Rule to remove X-Forwarded-IP, make sure you haven’t enabled it.

Also, disable any rules you were creating to add X-Forwarded-IP header, as it may remove the original header even if it doesn’t add the one you want. For instance, if you try to add this header with the content of a dynamic field that’s empty, the header will not be created with an empty value. Instead, it won’t be created at all.

glace · September 12, 2023, 5:21pm

Thanks, here is a screen, I think I didn’t disabled something about x forwarded ip!

I removed all the rules I created + purged the cache, but I still have the error!

The only way I found to remove this error is to add x-forwarded-for in my htaccess, (if it gives any clue)

cbrandt · September 12, 2023, 5:35pm

Does you domain have a DNS record proxied by Cloudflare?

glace · September 12, 2023, 5:36pm

Yep all my “A” have “proxied” status with the could

cbrandt · September 12, 2023, 6:19pm

It works for me on a Free Plan, so you should check your PHP code to see if there’s something else at play that prevents it from seeing those request headers.

What I have that gives me confidence these headers are set is:

<If "%{QUERY_STRING} =~ /test.*?/">
# Testing if cf-connecting-ip is present
    SetEnvIfNoCase CF-Connecting-IP (.*) CC_IP=$1
    Header set A-CCI %{CC_IP}e
# Testing if x-forwarded-ip is present
    SetEnvIfNoCase X-Forwarded-For (.*) XFF_IP=$1
    Header set A-XFF %{XFF_IP}e
</If>

Then if I curl my website with:

curl -sI https://example.com/?test=1 | egrep 'a-'

I get:

a-cci: MY-IP
a-xff: MY-IP, CF-IP

You can try the same directives on your .htaccess, but it may or may not work depending on how your server is configured, and any further questions about that would fall outside the scope of this community. You may want to reach out to a server admin or PHP support forum.

glace · September 12, 2023, 7:23pm

Hey thank yo so much, I added that code into my htaccess and I made a curl.

I don’t know it it is okay, but the initial command didn’t work on my mac so I had to tweak it a bit (I asked chatgpt) : curl -sI "https://mywebsite.com/?test=1" | grep -e 'a-'

I got this:

a-cci: MY-IP
a-xff: MY-IP

Is that ok?

Thanks again for your help!

cbrandt · September 12, 2023, 7:54pm

Yes, it is. Please see the link I posted above about these headers. Depending on certain conditions, both headers will have the same value.

That means both headers are being added to requests, as documented, and now as I said before you need to bring to the relevant forums (PHP, server admin) why your code isn’t recognizing them.

glace · September 12, 2023, 7:55pm

Oh that’s awesome!

I’m happy that it is just my code!

I can delete the code I added in my htaccess?

cbrandt · September 12, 2023, 7:57pm

Yes, that was for testing only.

glace · September 12, 2023, 8:00pm

Thank you so much I understand everything better now! (and I’m happy that cloudflare is working and that it is just my code haha)

system · September 15, 2023, 8:00pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.