My server reads IPs in IPv4, but the only way that I can find to identify users through Cloudflare is to use mod_remoteip to make the system read CF_CONNECTING_IP instead of REMOTE_ADDR.
Which is all fine and dandy, except that sometimes (most times) CF_CONNECTING_IP is returning IPv6, and I have no way of getting the IPv4.
I have over 100 IPv4 IPs allowlisted in cPanel’s cPHulk and CSF, and I honestly don’t even know if it’s possible to make them use IPv6. Even if there is, there’s no way for me to know the IPv6 addresses of the ones I’ve allowlisted in the past.
Before I start going down this very dark path of trying to change the server to use IPv6, is there any way to get Cloudflare to only send IPv4?
If the client is connecting (to Cloudflare) by IPv6, then you can’t know their IPv4 address.
While getting your backend to use IPv6 is the best solution, a temporary hard fix is to turn off IPv6 for your domain which will force clients to connect to Cloudflare over IPv4. Unless you have an Enterprise account, this can only be done using the API and will affect all subdomains in the zone.
I SSH’ed to my server as root (which does have curl) and pasted this:
curl --request PATCH
–url https://api.cloudflare.com/client/v4/zones/[zone id]/settings/ipv6
–header ‘Authorization: Bearer undefined’
–header ‘Content-Type: application/json’
(Using the result from API > Zone ID in place of [zone id])
but this was the result (line breaks added for readability):
“message”:“Invalid request headers”,
“message”:“Invalid format for Authorization header”
So I’m guessing that “Bearer undefined” wasn’t intended to be literal, and instead I need to create an API Token for the “Bearer”?
When I go to Profile > User API Tokens, though, none of the pre-configured permissions say anything about “Network”. So I’m guessing that I need to create a Custom Token.
None of THOSE say anything about “Network”, either, though, so now I’m kind of at a loss :-/
The bearer is how you authenticate with the API. Check under your dashboard…
You either need to use an API token that you configure with the right permissions, like this…
--header "Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxx"
Or, for speed and ease (don’t use in code, but for a one-off on the command line it’s quicker), use your email address and global API key, like this…
--header "X-Auth-Email: [email protected]" \
--header "X-Auth-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Worked perfect, thanks! Seeing that CF really doesn’t want to use IPv4, though, I’m concerned that this will go away without warning in the future. But CSF and cPHulk rely on IPv4, so I hope that doesn’t happen until everyone gets on the same page!
Cloudflare has no preference(*) for IPv4 or IPv6, in fact they’ve provided the ability to connect over IPv6 to your IPv4-only service. Blame your backend for not supporting IPv6
(*) The preference is that of most client software (browsers, SSH clients, FTP clients, etc, etc) that all now try IPv6 first if it is available.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.