Automatic Platform Optimization Enabled & I No Longer See Visitor IP?

As described in topic title, since enabling Automatic Platform Optimization I now only see this IP:
2a06:98c0:3600::103
and not the visitor IP
When I disable it I start to see the visitor IP again.
Is this how it is supposed to behave or is there a problem or do I need to implement something to continue to see the visitor IP?

4 Likes

Agreed. It looks like the X-Forwarded-For HTTP and CF-Connecting-IP headers are no longer working, according to my Wordfence plugin. WF still knows Cloudflare is proxying, but WF isn’t getting the correct Visitor IP address, nor is my NGINX configuration.

Maybe @simon is tracking APO issues.

3 Likes

Anyway we can get feedback on if this is gonna be remedied?
Or should I open a support ticket?

1 Like

Have submitted a ticket

2 Likes

Can you post the ticket # as well? @cloonan usually keeps an eye on them.

1 Like

I also see this exact same issue. Have to disable APO to login since WordFence blocks everyone from logging in since it looks like everyone has the same IP address.

1991444

2 Likes

We will investigate, thanks for reporting. In theory APO shouldn’t impact Visitor IP as we don’t change requests we pass to origin, so hopefully should be easily addressed.

3 Likes

Wordfence just block out the whole 2a06:98c0:3600::103 range. I had to disable Wordfence until they whitelist the range.

Same issue here. Plus, I kept getting locked out of my site due to excessive 404s, apparently caused by hundreds of visitors all being seen as one and the same. I tried whitelisting the IP in WF, but then my attack rate went up.

Since I don’t want to disable WordFence, I had to disable APO until this gets fixed.

Can confirm the same issue on my side, and I have proper configuration to read CF-Connecting-IP from Cloudflare IPs list (v4+v6).

I have IPv6 connectivity only on my servers and I see all incoming connections from 2a06:98c0:3600::103 with APO enabled. When disabled all goes back to normal.

I’m having the same issue. I now constantly getting locked out of my admin via WordFence with that IP address “2a06:98c0:3600::103” - Are end-users also likely to be having this issue? Ie should we disable APO for now until an update?

Actually was just on my site on Incognito mode (ie normal user) and also got it, so god knows how many visitors have now had this issue.

APO uses Cloudflare Workers it seems, from what I was able to understand from the technical presentation.

Seems like other Cloudflare Workers users (not APO users) have the same issue since July already: Workers always pass "CF-Connecting-IP: 2a06:98c0:3600::103"

Yup can confirm with WP APO enabled, real visitor IP is missing now. I did 2 requests to Wordpress index page one with ?noapo and one with ?apo to see what Nginx access.log logged IP wise.

xxx.xxx.xxx.xxx is my real ISP IP for ?noapo request while ?apo request showed IP for CF Brisbane location

egrep 'noapo|apo' access.log

xxx.xxx.xxx.xxx - - [04/Oct/2020:09:24:12 +0000] "GET /?noapo HTTP/1.1" 200 36636 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 OPR/71.0.3770.171"

172.68.86.24 - - [04/Oct/2020:09:25:53 +0000] "GET /?apo HTTP/1.1" 200 36636 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36 OPR/71.0.3770.171"

curl -s https://ipinfo.io/172.68.86.24
{
  "ip": "172.68.86.24",
  "city": "Brisbane",
  "region": "Queensland",
  "country": "AU",
  "loc": "-27.4679,153.0281",
  "org": "AS13335 Cloudflare, Inc.",
  "postal": "4000",
  "timezone": "Australia/Brisbane",
  "readme": "https://ipinfo.io/missingauth"
}
1 Like

Same here, from yesterday Wordfence is not allowing me login into the WP dashboard.

I hope Cloudflare will resolve this issue soon. I am waiting for the solution, please help.

@richardmorse441 when APO is enabled all requests to origin goes as Cloudflare Workers subrequests, in order to get visitor IP address please use CF-Connecting-IP header. Existing customer commented that you can configure Wordfence to read visitor IP from CF-Connecting-IP header by changing:

“General Wordfence Options > How does Wordfence get IPs” to the last Cloudflare option.

My initial problem still stands (it’s not a Wordfence issue) in that I tail my log file and I only see the CF IP and already have CF-Connecting-IP header working correctly.

That’s not working.

Right, I’m reading threads related to workers and 2a06:98c0:3600:0:0:0:0:103 IP. Because of security concerns CF-Connecting-IP gets set to 2a06:98c0:3600:0:0:0:0:103. We will come up with a solution to pass real Visitor IP to the origin via a dedicated header. Will update this thread once we have a solution in place.

4 Likes