I have the following setup:
- a set of APIs that are behind cloudflare
- a Next.js application hosted on Vercel
- the calls from the client side application to our APIs are done through API routes, which basically means that the request follow this pattern: client side → vercel lambdas → cloudflare → our APIs.
In this case it is hard to get the actual IP address of the user, hence we rely on a combination of X-Forwarded-For and some custom logic. However, I am guessing that Cloudflare uses the connecting IP in order to derive the location headers, which in this case makes them useless as the connecting ones are from the AWS infra anyway.
Is it possible to configure somehow the ip address that will be used for geolocation calculations?
Not really as the connecting IP is always going to be AWS as you say.
Can you put the AWS application behind Cloudflare and get the geo-ip information there, copy that info into some headers in your application when it then makes the API connection?
Alternatively you could create an x-forwarded-for header in your application with the client IP, Cloudflare will append the AWS IP to it(**), then you can lookup the client IP using a commerical IP lookup service at the API (use a database to cache the data to reduce lookups for latency and cost).
Or you could have a side channel where you get the client (a browser?) to make a side request to another application behind Cloudflare with an ID which can be logged with the geo-ip data with the API looking up the IP data from the ID you pass through from your application.
(**) Thinking again, would Cloudflare do the geo-ip lookup on the connecting IP, or if you are lucky, the x-forwarded-for IP address passed in. If the latter, that would probably work. Would need to check what the proxy does here.
Right now it does the IP geolocation lookup on the connecting IP, which is the AWS one, basically the underlying infra of Vercel.
In X-Forwarded-For I already have the right IP, because I manually set it from the lambda, therefore it looks like this: actual user IP, Vercel IP, Cloudflare IP. Cloudflare seems to not care though about the X-forwarded-for in their geolocation logic. So was thinking if maybe there is a way to change that.
This is correct.
Absolutely not. That would allow visitors to manipulate geolocation to get around firewall blocks.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.