Cf-connecting-ip mismatches

Hello,
I need a little bit help with some issues I am facing around.

Basically I am having a website where a user should select the file they want to download. Then on my server end it generates an encrypted download URL that contains a timestamp and the ip address of the user fetched from cf-connecting-ip header. Now after generating the user automatically get redirected to cloudflare worker i.e the download portal. There again users ip is fetched from same header. Then the ip address and encrypted url is sent to the server via a post request to check if remote ip is matching. And did the download link expire or not.

Everything is going as I expected. But somehow the ip address fetched on the server and the same fetched from cloudflare workers are showing differently.

xxx.yyy.164.2 this ip is fetched from the server
xxx.yyy.134.194 this from the cloudflare worker.
(xxx and yyy are same values in both the IPs)

As the IP address is getting mismatched the downloads get aborted. Redirecting back to the download page.

Someone help me if they know why this is happening and anyway to fix it up.

And sorry if I am not able to explain this properly. But any help is appreciated.

This is a known behaviour when users are using Cloudflare Workers because there is at least a subrequest involved and it won’t true if the cf-connecting-ip coming from the client (by the definition who is who) and it should be the IP of the subrequest as the cf-connecting-ip.

I haven’t tried myself but there should be a way to identify the client real IP before Workers script makes the subrequest. I’m still needing to patch up my knowledge in this thing too. Sorry, if I’m not able to give the proper solution.

Thank you for you reply, Can you help me a bit more with this. As I not able to figure out from what stage I should fetch the header that the sub request does not modify the headers.

We return 2a06:98c0:3600::103 when the request is coming from Workers.

You can either add a custom header to the request to pass to your server as discussed on our community here: Workers always pass "CF-Connecting-IP: 2a06:98c0:3600::103"

Someone also mentions that True-Client-IP header gives a correct client IP.

What is True-Client-IP?