How to let Cloudflare get another CDN's true client IP?

I have another CDN in front of Cloudflare, the topology diagram is as follows:

client --> aws cloudfront --> cloudflare --> server

I can get client IP by adding real_ip_header X-Forwarded-For in server’s nginx config,

But, How can I let the Cloudflare get the client’s IP? I need the true client IP for Firewall rules, Thanks guys!

You can change the incoming header with a transform rule

1 Like

Thanks for the reply!
aws cloudfront sends X-Forwarded-For to Cloudflare,
How to write Cloudflare’s transform rules to identify the client IP sent by aws?

I believe something like this would work

Thanks, i’ll try!

another question:
If I understand correctly, the header modification is behind the WAF, The Cloudflare WAF can’t perceive the modified header request, so it can’t get the user’s real IP?

hmm, it cannot save:
“it cannot be used on header ‘X-Forwarded-For’”

Right, that’s one you can’t modify:

1 Like

Thanks, Can I achieve what I want in other ways?

I tested the above configuration and it doesn’t work.

Sorry, you would need something like

Where X-Forward-Forward is the header that you are passing to the server.

Thanks for your kindly reply,
It doesn’t work by using X-Forward-Forward.

I don’t fully understand the usage of X-Forward-Forward here. From what I understand, AWS cloudfront doesn’t contained a X-Forward-Forward header in their request.
And “the header modification is behind the CF WAF”, I don’t know if this kind of header modification would work.

Thanks again for your help, do you have a telegram? I can pay for this issue.

The X-Forward-Forward is the output header that contains the content of the inbound x-forward-for header.

How about “the header modification is behind the CF WAF”?
I need the CF WAF get the client ip which contains in AWS’s X-Forward-For or CloudFront-Viewer-Address header.

Maybe CloudFront-Viewer-Address header which includes includes IP address and connection port information for requesting clients Amazon CloudFront adds support for client IP address and connection port header ?

Amazon CloudFront now provides a CloudFront-Viewer-Address header that includes IP address and connection port information for requesting clients. The connection port field indicates the TCP source port used by the requesting client. Previously, IP address and client connection port information were available only in CloudFront access logs, making it harder to resolve issues or perform real-time decision-making based on these data. Now you can configure your CloudFront origin request policies to forward the CloudFront-Viewer-Address header to your origin servers. The header can also be used in CloudFront Functions when included in an origin request policy. The CloudFront-Viewer-Address header uses the following syntax: CloudFront-Viewer-Address:

Oh you already mentioned that. Might need to contact CF support on that one due to order of how requests come in

Thanks I’ll try to connect Cloudflare support

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.