I have a Ruby on Rails app and am trying to implement Rack Attack to be able to block abusive scrapers.

To be able to do this I need the origin client’s IP address and I believe the right way to get this is using the CF_CONNECTING_IP header.

However when trying to just simply log the header to check that it exists in my production app it’s constantly not returning anything.

I am on the free version of Cloudflare and as I mentioned above this is a Ruby on Rails app as an API.

The code I currently have to try and log the header is as follows:

class Rack::Attack =

  class Request < ::Rack::Request
    def remote_ip      
      @remote_ip ||= (env['HTTP_CF_CONNECTING_IP'] || env['action_dispatch.remote_ip'] || ip).to_s    

  track('Log all requests') do |req|
    puts req.ip # returns an ip address
    puts req.env['action_dispatch.remote_ip'] # returns the same ip as req.ip
    puts req.env['HTTP_CF_CONNECTING_IP'] # returns nothing :(

Any help people can provide would be much appreciated as I’m totally stumped!

Sounds like something is wrong with the cgi handler in apache/nginx not properly injecting the environment variable(s). Can you see if any other CGI env is available to your server such as HTTP_HOST and HTTP_ACCEPT?


Thanks for your reply. The API is hosted on Heroku and so I don’t believe there is any Apache or NGINX. I will try logging the other fields though as you’ve suggested and report back :slight_smile:


Yep the host logs fine but there still doesn’t seem to be any sign of HTTP_CF_CONNECTING_IP

If that header isn’t showing up it might be something with Heroku not passing or not receiving the header itself. Make sure You can also make sure Cloudflare is working on your website by going to /cdn-cgi/trace (eg. and seeing output similar to

Is it possible the affected requests aren’t actually going through Cloudflare? Unless you block non-Cloudflare IP addresses, people can still make direct requests to your web server. It’s also possible you forgot to enable the proxy in the Cloudflare dashboard.

The proxy is definitely in place but I think you might be right and these bots are not even going through cloudflare, they’re just making requests straight to the server. Thanks for suggesting this :slight_smile:


This topic was automatically closed after 14 days. New replies are no longer allowed.