Difference between CF-Connecting-IP and True-Client-Ip?

The literature makes it seem as though these headers contain the same information.

(Sorry, Cloudflare won’t let me include a link to their own documentation in this posting.)

True-Client-Ip requires Enterprise (thousands $$ per month). CF-Connecting-IP states no such requirement. Can I actually use CF-Connecting-IP on my Pro plan?

(And if so, why would Cloudflare be restricting the equivalent header - True-Client-Ip - to the enterprise plan? Granted that is not a technical question, but when things don’t make sense, I wonder what it is that I am missing…)

Thanks for your advice!

They do.

Anyone can.

:person_shrugging:

Pretty sure you can just use Transform Rules to add that request header yourself to be honest.

1 Like

Thanks, @KianNH !

This is a header commonly used by Akamai. Given the price point of Akamai services offering it on the enterprise plan so operations didn’t need to make a code change made sense. It’s no different than the other header or parsing the x-forwarded-for header.

3 Likes

@cscharff Amazing! Thanks for your advice and giving some context. I’m writing my application code on my own server. To me it’s the same if the header would be called “x-kangaroo”. A shame Cloudflare’s own support personnel are not as knowledgeable as folks here. They would have cheerfully sold me a $2,000 plan upgrade for a header which is already available to me! Thanks!!

Follow up question - I’m now picking this up from x-forwarded-for. Here’s a sample of “IP addresses”. As you can see, sometimes they are an IP address as expected, but sometimes it’s some other format. I’m expecting the IP addresses in 000.000.000.000 format. What are these other entries? Thanks!

{xff:2601:402:400:a3e6:acdf:5362:bc52:c908}
{xff:2601:145:401:58f0:e830:90f1:ee52:5ab1}
{xff:50.88.59.118}
{xff:76.191.34.154}
{xff:2600:100b:b10c:f098:ad99:f2cd:2de4:3a19}
{xff:2600:100b:b10c:f098:ad99:f2cd:2de4:3a19}
{xff:66.249.72.197}
{xff:165.225.216.191}
{xff:165.225.216.191}
{xff:66.249.72.197}
{xff:2600:1016:b119:3f47:30b8:aebc:9d74:4c94}
{xff:2600:1016:b119:3f47:30b8:aebc:9d74:4c94}
{xff:97.120.12.220}
{xff:108.30.172.90}
{xff:2600:1004:b10b:ef3f:b16c:36ab:3ea:e2c1}
{xff:2600:1004:b10b:ef3f:b16c:36ab:3ea:e2c1}
{xff:100.38.102.120}
{xff:100.38.102.120}
{xff:64.183.82.195}
{xff:2600:387:b:9::5a}
{xff:2600:387:b:9::5a}
{xff:108.54.121.87}
{xff:205.167.22.100}
{xff:205.167.22.100}

Same issue when I use CF-Connecting-IP. I get more IP addresses as expected, but still a fair amount of the unexpected values. Thanks for your advice!

{cci: 50.108.38.165}
{cci: 216.238.240.68}
{cci: 2607:fb90:3f05:b77a:b212:e525:847f:7c4b}
{cci: 12.70.185.107}
{cci: 12.70.185.107}
{cci: 199.102.54.226}
{cci: 199.102.54.226}
{cci: 2001:4450:8189:2500:b139:f97f:11e8:8578}
{cci: 102.66.77.202}
{cci: 12.70.185.107}
{cci: 12.70.185.107}
{cci: 2607:fb90:429f:4f49:c34b:3c98:828d:611b}
{cci: 2600:1005:b15b:b419:4d21:3acf:6933:68d2}
{cci: 2600:1005:b15b:b419:4d21:3acf:6933:68d2}
{cci: 74.125.216.196}
{cci: 2600:1700:f0c0:59d0:8c9c:1d52:f6e9:e7e8}
{cci: 2600:1700:f0c0:59d0:8c9c:1d52:f6e9:e7e8}
{cci: 2600:1700:f0c0:59d0:8c9c:1d52:f6e9:e7e8}
{cci: 12.70.185.107}
{cci: 12.70.185.107}
{cci: 173.243.18.32}
{cci: 74.125.216.196}
{cci: 74.125.216.196}
{cci: 66.249.72.197}
{cci: 66.249.72.198}
{cci: 74.125.216.199}
{cci: 66.249.72.198}
{cci: 12.70.185.107}
{cci: 12.70.185.107}

Those are IPv6 addresses. If the client connected to Cloudflare over IPv4, the CF-Connecting-IP header will contain an IPv4 address. If the client connected over IPv6 it will contain an IPv6 address.

1 Like

@KianNH @cscharff So now I’m pulling both headers simultaneously. I can see that CF-Connecting-IP and X-Forwarded-For are the same in all cases. But I’m still wondering, what does it mean when I see these values which do not look like the IPv4 value as expected? Thanks for your advice!

{cci: 2601:342:c000:7b00:f46c:9498:38de:34e8} | {xff: 2601:342:c000:7b00:f46c:9498:38de:34e8}
{cci: 2600:1016:b025:9f71:cf50:9065:6eff:a6d7} | {xff: 2600:1016:b025:9f71:cf50:9065:6eff:a6d7}
{cci: 2600:1016:b025:9f71:cf50:9065:6eff:a6d7} | {xff: 2600:1016:b025:9f71:cf50:9065:6eff:a6d7}
{cci: 73.35.25.133} | {xff: 73.35.25.133}
{cci: 73.35.25.133} | {xff: 73.35.25.133}
{cci: 2a02:26f7:c355:801f:0:d6fa:90e2:83b7} | {xff: 2a02:26f7:c355:801f:0:d6fa:90e2:83b7}
{cci: 2607:fb90:62ac:70a5:1f43:c375:72d4:4b38} | {xff: 2607:fb90:62ac:70a5:1f43:c375:72d4:4b38}
{cci: 2607:fb90:62ac:70a5:1f43:c375:72d4:4b38} | {xff: 2607:fb90:62ac:70a5:1f43:c375:72d4:4b38}
{cci: 198.36.216.3} | {xff: 198.36.216.3}
{cci: 198.36.216.3} | {xff: 198.36.216.3}
{cci: 73.35.25.133} | {xff: 73.35.25.133}
{cci: 73.35.25.133} | {xff: 73.35.25.133}
{cci: 71.186.186.226} | {xff: 71.186.186.226}
{cci: 71.186.186.226} | {xff: 71.186.186.226}
{cci: 73.148.220.194} | {xff: 73.148.220.194}

@albert Thanks, I was wondering about that. What does that signify? I’ve been combing through IIS and SSH server logs for years and I’ve never seen and IPv6 address. Only IPv4.

It is quite possible that your server only supports IPv4. In that case you will only see IPv4 addresses in logs.

In an attempt to aid the transition from IPv4 to IPv6, Cloudflare let’s visitors connect over both IPv4 and IPv6, no matter which protocol the origin server uses.

Usually computers prefer using IPv6 over IPv4 if both are available.

This means you will see both IPv4 and IPv6 addresses in the CF-Connecting-IP header.

2 Likes

@albert Thanks! I suppose the IPv6 value is just as useful to me as v4. We’re just looking for unique values to denote unique traffic sources. I really don’t care what the format of the client “identifier” is. Do you know by any chance whether True-Client-IP would behave in the same manner?

That’s right. Just as with IPv4, computers usually only have a single IPv6 address. However, since IPv6 space is so much more abundant than IPv4, an attacker could easily use billions of unique IPv6 addresses to circumvent IP rate limits/blocks.

When the True-Client-IP zone setting is turned on, the True-Client-IP header mirrors the CF-Connecting-IP header. You can only trust the True-Client-IP header if the zone setting is turned on.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.