Forwarding CF-Connecting-IP between two Cloudflare proxy domains

I have a design question: I would like to forward requests from one of my Cloudflare domain to another Cloudflare domain. Is there a way I can preserve the Cf-Connecting-IP from first domain to the next?

Set up: User → Domain1 (Cloudflare/proxied) → Domain2 (Cloudflare/proxied) → Origin

Is there a way for me to pass the user’s IP address to Domain2 (without changing any settings in Domain2)? Cf-Connecting-IP is overwritten in Domain2 and the origin does not receive the original user’s IP address.

Though it is possible to copy the original user’s IP address in another header, I don’t want to follow that method as Domain2 is also receiving requests from users.

Any suggestions/ideas are appreciated.

Thank you.

I am stuck. Can someone please help if this is possible?

It might be in X-Forwarded-For still but you’d have to parse that yourself.

Alternatively, it’ll be the method of using a transform rule to copy it to another header.

Maybe you can setup a Cloudflare Transforum request header modification on Domain1 to attach the real visitor’s IP to a custom request header that you pass onto Domain2?


No. That would essentially enable client IP spoofing. You will need to have access to domain2’s Cloudflare settings and origin server.

For security reasons the cf-connecting-ip header is immutable (with the notable exception of same-zone Worker sub-requests).

However, as @eva2000 suggested, you can use Transform Rules on domain2 to add a different header containing either the user IP or the IP forwarded by domain1.

Create a new Request Header Rewrite rule that overwrites the x-forwarded-for header to the user IP if the request does not come from domain1’s origin server.

When (ip.src ne <domain1 origin IP>) dynamically set x-forwarded-for to ip.src.

Then on domain1’s origin server, copy the value of cf-connecting-ip to x-forwarded-for before sending the request to domain2.

On domain2’s origin server, restore the client IP address from x-forwarded-for instead of cf-connecting-ip.

1 Like

FYI, if you origin is Nginx server based, then you may not need to use Transform rules either. Nginx has option for real_ip_recursive

Syntax: real_ip_recursive on off ;
Default: real_ip_recursive off;
Context: http , server , location

This directive appeared in versions 1.3.0 and 1.2.1.

If recursive search is disabled, the original client address that matches one of the trusted addresses is replaced by the last address sent in the request header field defined by the real_ip_header directive. If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field.

Basically with real_ip_recursive on, Nginx origin will in theory automatically get the real IP of visitor from Domain1 address list

Thank you for all the suggestions.

@albert I think same-zone worker sub-requests would be worth exploring for my use-case. Do you have any references/tutorials that you can point me at?

A same-zone sub-request is a request for the same domain (e.g. Worker runs on and makes a request to so it isn’t applicable in your case. I was just mentioning this is the only place where the CF-Connecting-IP header can be modified.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.