CF_CONNECTING_IP With Cloudflare IP Validation using PHP

What is the name of the domain?

What is the issue you’re encountering

CF_CONNECTING_IP Not Showing Visitor’s IP Address

What steps have you taken to resolve the issue?

Logs, but unable to locate the ‘special’ request.

What are the steps to reproduce the issue?

Validate the $_SERVER[‘REMOTE_ADDR’] is actually from Cloudflare before checking the $_SERVER[‘HTTP_CF_CONNECTING_IP’];.

Here is the PHP code I use to get the visitors IP Address. It works 99.999% of the time, but there seems to be a request that is getting through every day and using Cloudflare’s IP address.

 $ip=$_SERVER['REMOTE_ADDR'];
$lip=ip2long($ip);
if($lip >= '2728263680' && $lip <= '2728394751' || 
	$lip >= '1745879040' && $lip <= '1746927615' || 
	$lip >= '2889875456' && $lip <= '2890399743' ||
	$lip >= '2918526976' && $lip <= '2918531071' ||		
	$lip >= '1729491968' && $lip <= '1729492991' ||
	$lip >= '1729546240' && $lip <= '1729547263' ||
	$lip >= '1730085888' && $lip <= '1730086911' ||
	$lip >= '3320508416' && $lip <= '3320509439' ||
	$lip >= '2372222976' && $lip <= '2372239359' ||
	$lip >= '1822605312' && $lip <= '1822621695' ||
	$lip >= '3193827328' && $lip <= '3193831423' ||
	$lip >= '3161612288' && $lip <= '3161616383' ||
	$lip >= '1746403328' && $lip <= '1746927615' ||
	$lip >= '2197833728' && $lip <= '2197834751' ||
	$lip >= '3324608512' && $lip <= '3324641279'){
		$ip=$_SERVER['HTTP_CF_CONNECTING_IP'];
}

echo "Your IP Address is: $ip";

It appears to be the same user bouncing around on VPN connections, that is sometimes able to spoof his IP address as being actually Cloudflare for requests.

Is there another way to validate the CF_CONNECTING_IP or get the IP address of the user?

The IP Address that my program is showing accessing pages is ‘104.28.49.x’

Which is 1746678016 and should fall into the rules above to give me the real user’s IP address.

$lip >= ‘1745879040’ && $lip <= ‘1746927615’ ||

Which address would that be? It could be a WARP user, and the IP address wouldn’t fall within the ranges at IP Ranges

1 Like

Here’s the users IP that is ‘getting through’ ’ 104.28.49.x’ and it does fall in the IP ranges I have listed.

I can’t understand how it’s getting passed using the Cloudflare IP Address, unless it is sending a header with CF_CONNECTING_IP: 104.28.49.x …

I have tried everything to catch this IP request in a log, my code above is simple…

Please help me understand. These requests are being used to bypass my spam detection to get my content. The user is logged into my website and 1 hour previously visiting from a VPN in Lativa… and then somehow switched to be a Cloudflare IP Address and bottled all of my content.

What is a WARP IP?

NOTE: I have IPV6 DISABLED.

That’s not a proxy IP address from the list I linked to. It’s most likely a WARP VPN user.

1 Like

Ya, the ip address falls in 104.24.0.0/14

104.16.0.0 - 104.31.255.255

104.28.49.x falls in that range.

Reading the WARP documents now… it seems WARP means Cloudflare Workers and other services? How can I stop a rogue Cloudlare Worker from accessing my page?

Is it safe to assume that if the end ‘actual IP address’ is still a Cloudflare IP Address, it’s a ‘WARP USER’ ?

Simple code:

$lip=ip2long($ip);
if($lip >= '2728263680' && $lip <= '2728394751' || 
	$lip >= '1745879040' && $lip <= '1746927615' || 
	$lip >= '2889875456' && $lip <= '2890399743' ||
	$lip >= '2918526976' && $lip <= '2918531071' ||		
	$lip >= '1729491968' && $lip <= '1729492991' ||
	$lip >= '1729546240' && $lip <= '1729547263' ||
	$lip >= '1730085888' && $lip <= '1730086911' ||
	$lip >= '3320508416' && $lip <= '3320509439' ||
	$lip >= '2372222976' && $lip <= '2372239359' ||
	$lip >= '1822605312' && $lip <= '1822621695' ||
	$lip >= '3193827328' && $lip <= '3193831423' ||
	$lip >= '3161612288' && $lip <= '3161616383' ||
	$lip >= '1746403328' && $lip <= '1746927615' ||
	$lip >= '2197833728' && $lip <= '2197834751' ||
	$lip >= '3324608512' && $lip <= '3324641279'){
		$ip=$_SERVER['HTTP_CF_CONNECTING_IP'];
		$lip=ip2long($ip);
}

if($lip >= ‘2728263680’ && $lip <= ‘2728394751’ ||
$lip >= ‘1745879040’ && $lip <= ‘1746927615’ ||
$lip >= ‘2889875456’ && $lip <= ‘2890399743’ ||
$lip >= ‘2918526976’ && $lip <= ‘2918531071’ ||
$lip >= ‘1729491968’ && $lip <= ‘1729492991’ ||
$lip >= ‘1729546240’ && $lip <= ‘1729547263’ ||
$lip >= ‘1730085888’ && $lip <= ‘1730086911’ ||
$lip >= ‘3320508416’ && $lip <= ‘3320509439’ ||
$lip >= ‘2372222976’ && $lip <= ‘2372239359’ ||
$lip >= ‘1822605312’ && $lip <= ‘1822621695’ ||
$lip >= ‘3193827328’ && $lip <= ‘3193831423’ ||
$lip >= ‘3161612288’ && $lip <= ‘3161616383’ ||
$lip >= ‘1746403328’ && $lip <= ‘1746927615’ ||
$lip >= ‘2197833728’ && $lip <= ‘2197834751’ ||
$lip >= ‘3324608512’ && $lip <= ‘3324641279’){
die(‘we do not allow WARP Access’);
}

I don’t think that’s correct.

Yours works out to 104.16.0.0/12, which isn’t on the list.

1 Like

What? The IP Address falls in the list… Doesn’t it?

Whois
CIDR: 104.16.0.0/12
NetRange: 104.16.0.0 - 104.31.255.255

104.28.49.x falls in that range.

YOUR IP is 104.24.0.0/14, is inside of 104.16.0.0/12, the IP range is split strange… but it’s inside of the code I provided. I convert the IP to long.

I’m just providing Whois information, in the code I have the exact Cloudflare IP list. The IP seems to whois strange, but I assure you the PHP code has the Cloudflare list you provide. I’m going to convert them all from Long to IPs again and post it here.

Hi,

I see what you mean, I think I did that because of the other rule: 104.24.0.0-104.31.255.255 to put both rules into 1 line.

104.16.0.0-104.27.255.254 (104.16.0.0/13)
104.24.0.0-104.31.255.255 (104.24.0.0/14)
IS
NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12

I’ve fixed that to be more correct… So that can’t be the reason that the wrong IP Address is coming in…

Still a little confused, please advise if possible. How does a logged in user keep coming through Cloudflare’s IP? My last line $ip=$_SERVER[‘HTTP_CF_CONNECTING_IP’] should in theory make the IP address blank.

$ip=$_SERVER[‘REMOTE_ADDR’];
$lip=ip2long($ip);
if($lip >= ‘2728263680’ && $lip <= ‘2728394751’ || //162.158.0.0-162.159.255.255 (162.158.0.0/15)
$lip >= ‘1745879040’ && $lip <= ‘1746665470’ || //104.16.0.0-104.27.255.254 (104.16.0.0/13)
$lip >= ‘2889875456’ && $lip <= ‘2890399743’ || //172.64.0.0-172.71.255.255 (172.64.0.0/13)
$lip >= ‘2918526976’ && $lip <= ‘2918531071’ || //173.245.48.0-173.245.63.255 (173.245.48.0/20)
$lip >= ‘1729491968’ && $lip <= ‘1729492991’ || //103.21.244.0-103.21.247.255 (103.21.244.0/22)
$lip >= ‘1729546240’ && $lip <= ‘1729547263’ || //103.22.200.0-103.22.203.255 (103.22.200.0/22)
$lip >= ‘1730085888’ && $lip <= ‘1730086911’ || //103.31.4.0-103.31.7.255 (103.31.4.0/22)
$lip >= ‘3320508416’ && $lip <= ‘3320509439’ || //197.234.240.0-197.234.243.255 (197.234.240.0/22)
$lip >= ‘2372222976’ && $lip <= ‘2372239359’ || //141.101.64.0-141.101.127.255 (141.101.64.0/18)
$lip >= ‘1822605312’ && $lip <= ‘1822621695’ || //108.162.192.0-108.162.255.255 (108.162.192.0/18)
$lip >= ‘3193827328’ && $lip <= ‘3193831423’ || //190.93.240.0-190.93.255.255 (190.93.240.0/20)
$lip >= ‘3161612288’ && $lip <= ‘3161616383’ || //188.114.96.0-188.114.111.255 (188.114.96.0/20)
$lip >= ‘1746403328’ && $lip <= ‘1746927615’ || //104.24.0.0-104.31.255.255 (104.24.0.0/14)
$lip >= ‘2197833728’ && $lip <= ‘2197834751’ || //131.0.72.0-131.0.75.255 (131.0.72.0/22)
$lip >= ‘3324608512’ && $lip <= ‘3324641279’){ //198.41.128.0-198.41.255.255 (198.41.128.0/17)
$ip=$_SERVER[‘HTTP_CF_CONNECTING_IP’];
}

echo 'Your IP Address is: '.$ip; for this user would show:

Your IP Address is: 104.28.49.x

If I was to do code that says
$ip=$_SERVER[‘REMOTE_ADDR’];
$ip=$_SERVER[''testing test"];
echo "Your IP Address is: '.$ip; would be blank.

It’s like Cloudflare is sending the header CF_CONNECTING_IP: 104.28.49.x with the connection request.

Bump. Do you have any suggestions on how to determine how this visitor is coming to the website with a Cloudflare IP?

Is there any documentation on WARP user? How can I connect to my website using WARP so that I can test things?

P.S. Isn’t it a huge security hole to have millions of websites simply looking for $_SERVER[‘HTTP_CF_CONNECTING_IP’]? If somebody get’s the home IP of any server on cloudflare, they can spoof that header and bypass everything most likely.

That IP is still not in the list of Cloudflare’s IP range. It is not a proxy IP. It IS the CF_CONNECTING_IP.

That is still not right.
104.24.0.0/14 includes IPs from 104.24.0.0 to 104.27.255.255

The IP is from Cloudflare’s VPN service. Like any other VPN, it hides the users real IP address.

People don’t just “get” an IP address that belongs to Cloudflare. But Cloudflare does provide additional security for this case, either with Authenticated Origin Pulls or Cloudflare Tunnels.

2 Likes

This topic was automatically closed after 15 days. New replies are no longer allowed.