CF-Connecting-IP header is missing

What is the name of the domain?

whoami.knoll-family.de

What is the issue you’re encountering

I expect it to display the CF-Connecting-IP header, which should then be picked up by a Traefik Plugin and properly be handled by further internal services

What steps have you taken to resolve the issue?

I have made sure that the internal IP of the cloudflared service is both trusted in the Traefik Plugins and Traefik itself, when it comes to forwarded HTTP request headers. Some of the CF- headers are present, but particularly CF-Connecting-IP is still missing, although I need exactly this header.

What are the steps to reproduce the issue?

Connect to the provided Address, witness that the CF-Connecting-IP header is missing from the output.

If you check under Rules → Transform Rules → Managed Transforms, there is an option called Remove visitor IP headers. Is that option maybe activated?

I have actually checked that multiple times. I even attempted turning it on and back off again, but to no avail.

And you are certain that the header isn’t removed by something in your chain? Are you checking for the header at your first application after the tunnel or in some later application that handles the request?

The header should be passed from Cloudflare to cloudflared, from there it goes to Traefik, which should forward the header to other internal services. I use the cloudflarewarp plugin for Traefik, which should read the CF-Connecting-IP header and store the IP in X-Real-IP, but it seems like this header is not present by that point. Then Crowdsec is the second middleware which should use the X-Real-IP header or even the CF-Connecting-IP header to determine the real IP of the site’s visitor. My setup might be a bit weird or convoluted, but the point is that either the header is not attached in the first place or gets lost or stripped along the way.

Can you just put something simple like Nginx or Apache right behind Cloudflared and log the header there?
I believe it’s more likely the header is removed somewhere on your side than that Cloudflare never sent it.

I could try to expose a port of whoami which cloudflared should contact directly. I am going to try that.

The header is indeed there. Could you try to help me figure out the point of failure, where the header gets lost?

It looks like that header is only stripped by the cloudflarewarp plugin, which should basically translate the IP to the X-Real-IP header. Weird.

Cloudflarewarp somehow removes the CF-Connecting-IP header and yet doesn’t touch the X-Real-IP header.

I don’t use any of the software you mentioned, so I don’t believe I’d be of any help to you with this.

After a quick look at the documentation for the cloudflarewarp plugin, what did you use for the trustip? When using a tunnel, this should usually be 127.0.0.1. This is something many people do wrong.

I have the disableDefault set to false. I’ll try what you just told me.

You need to use the IP that the request from the tunnel to Traefik is made from. This is usually 127.0.0.1, but I’ve seen setups where a local network IP was used instead. Just check in Traefik which IP the request is actually coming from.

I got it working. Thank you for your help!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.