I got several access log from a private ip address. It’s 172.16... (masked)

Some nginx logs like this:
172.16.. - - [07/Feb/2021:18:32:02 +0900] “GET / HTTP/1.1” 200 14712 “https://www.google.com/” 0.000 - . “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.3
6 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36” “172.16..” “”

The requests seem all rights except the ip addr from 172.16.
It seems that it was a live user, accessed the homepage and view some pages normally.

I’m using a real_ip_header module restrictly:
real_ip_header “CF-Connecting-IP”;
set_real_ip_from 127.0.0.0/8 ;
set_real_ip_from ::1/128 ;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32 ;
set_real_ip_from 2606:4700::/32 ;
set_real_ip_from 2803:f800::/32 ;
set_real_ip_from 2405:b500::/32 ;
set_real_ip_from 2405:8100::/32 ;
set_real_ip_from 2a06:98c0::/29 ;
set_real_ip_from 2c0f:f248::/32 ;
#My networks were removed; I don’t think they’re from my network and I does not use 172.16

I checked all logs not deleted yet, no other similar requests before Feb 07 were found.

My only guess is that you have pseudo IPv4 turned on - if it’s set to “overwrite”, it translates IPv6 addresses into regularly unusable IPv4 addresses:

The only thing that doesn’t add up is that this feature translates IPs to Class E IPv4 addresses, which are those in the range 240.0.0.0/4, so a 172.16.x.x wouldn’t be generated.

Not sure, maybe someone else can provide some insight.

I enabled IPv6 years ago and never enabled Pseudo IPv4.
It would be terrible if cf told you it’s from your private network for an access from the public world.

If it’s not Pseudo IPv4, the next step is to figure out how your log got that IP address. Did it come from the Cloudflare visitor IP address header? The only other guess I can come up with is that your host uses those IP addresses for an internal network and it came from another server on your host’s network.

log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
'$request_time $upstream_response_time $pipe ’
‘"$http_user_agent" “$http_x_forwarded_for” “$host”’;
And I’m also using real ip module, with the configure in the topic.
I never use 172.16 in my network. When I try to traceroute to the address, it was routed to my ISP and dropped soon.

I think that just leaves the internal network possibility, but that really doesn’t make sense for a live user. Other than nagging your host and/or Cloudflare on what may be a wild goose chase, you could firewall off any traffic that does not come from those Cloudflare IP addresses, then see if it happens again.

In fact the address other than cf and my network to port 80 and 443 has already been rejected by ip(6)tables for a long time
And I checked all my available logs, internal addresses except my network only access on Feb 07.
Is it possible that cf check their logs to identify the accident? I’m afraid there’re some security issues.

@cloonan
I think it may be a security issue from cloudflare.
Is it possible that cloudflare check your logs to identify the access from private ip address?
Has someone made a fake ip address, or it’s an accident that some one in cloudflare network accessed outside?

Might be related with Using HTTP/3 w/ Warp on Cloudflare Websites Shows Private IP.

This topic was automatically closed after 30 days. New replies are no longer allowed.