Cf-connecting-ip is always present

Good day,

I am very happy with what workers can provide. Been using that lately as a serverless router on top of my website. Though for that I have to make a fetch request. And what I realized is that there are tons of headers set to the site I requested:

    "Cdn-Loop": "cloudflare; subreqs=1", 
    "Cf-Connecting-Ip": "192.168.1.1", 
    "Cf-Ew-Via": "69", 
    "Cf-Ray": "somehash-FRA", 
    "Cf-Visitor": "{"scheme":"https"}", 
    "Cf-Worker": "mysite.xyz"

Especiall the Cf-Connecting-Ip bothers me. Is there a way to get rid of that if a worker makes a request?

Not really, these headers are for debugging purposes respectively allow you to map the request to the actual client address. It is good that they are included in each request.

Basically what I am doing is: a request comes in to my worker. I parse the requested path after the worker URL and make a fetch request to my actual webserver to fetch the content depending on what was requested and I finally return that to our user who initiated the worker request.

If I could access these headers from the worker only before making the request to my own webserver, it would be fine. But I don’t want to send the original IP of the user who sent a request to the worker to my webserver. I would like to ensure that I don’t log any client IPs.

Why do you not want the header sent to your server? You can simply ignore in on that end. There is no issue with that.

I do want to log headers which can be useful for debugging. But I don’t need to log all these as these take up a lot of space in the webserver logs plus I promised to my users that I won’t log IPs. This way I have to make my webserver ignore it which is not really supported by the one I use.

Which webserver are you using and how are you logging the headers?

But anyhow, no, you cannot disable that header. Simply make sure you ignore it on your webserver.

I use apache and simply use its basic http.log functionality.

But I don’t get why it’s necessary to send the origin IP to any fetch request a worker does. That doesn’t make sense to me. :thinking:

A standard Apache setup wont log that header in the first place, so it really shouldn’t be a problem.

If you log it, you must have explicitly configured that and in that case you simply remove that configuration. Unless of course you rewrite IP addresses, in which case you simply stop doing so :slight_smile:

I set it to log all headers. As far as I know there is no way to remove one specific header.

Can you post that configuration setting here?

LoadModule log_forensic_module /usr/lib64/httpd/modules/mod_log_forensic.so 
<IfModule log_forensic_module> 
ForensicLog /var/log/httpd/forensic_log 
</IfModule> 

I use this module basically.

That is quite a sledgehammer for logging (as the name already suggests). Using the default logging might be the better choice.

But anyhow. No, I am afraid you cannot disable that header.

I couldn’t find a way sadly to log all headers sent with the request EXCEPT the Cf-Connecting-Ip header for example with the basic functionality either. This one at least logs all headers, but doesn’t exclude the one I would prefer to not to keep.

All I want is keeping anonymity of my users on my end but storing debug data in case I would need it. As all the other headers I am storing are okay in terms of privacy. But I guess I won’t be using workers then.

Is there any way to request a feature like that somehow from the devs?

Why do you need all headers? Just use the default logging and explicitly add the headers you want.

You can post a feature request at #feedback:prodreq but (for security reasons) I am not sure this even would be considered.

I wonder, what would be those security reasons?

For client identification and so on.

I dont think it will lead to much but you can certainly try. As for a tangible suggestion I can only refer back to what I mentioned earlier.

1 Like

Alright, thanks for your time and kindness! Very much appreciated

One other thing you could certainly do, is keeping your current logging and placing an additional proxy inbetween Cloudflare and Apache, which doesnt log anything but filters out the headers in question.

You could also try to check if you could get mod_headers to run before your logger and then filter out the headers on Apache’s side.

The first paragraph basically summarizes my escape plan. But one extra layer is more latency oh well.

The second method could work tho, I will read more on that.

Nevermind, solved it in a decent way with the headers module.