HTTP header CF-Connecting-IP contains IPs from Cloudflare

Hey guys,

I am using CF as reverse proxy for my website and I am using HTTP header “CF-Connecting-IP” to get the real clients addresses (IPv4 and IPv6). I am using those IP adresses for various tings (ACLs, …).

I have found out that some of the addresses in this header (IPV6 in my case) are actually from Cloudflare ASN. Is this expected? Do I have misconguration somewhere? Are there any VPN/other services using the Cloudflare IPs? Is this knownly used by some spammers?

I am not sure why there should be any traffic on my website from the Edge Cloudflare servers containing those addresses in the header… still I am not sure if I can safely block the whole Cloudflare ASN on my webserver for the values of HTTP header “CF-Connecting-IP”.

I have only found this thread (CF-Connecting-IP contains IP from Cloudflare) with the very same issue, but there is no reply and it was closedafter 15 days.

If you know anything I am missing or even have an opinion about the situation, please share.

What’s the IP address?

1 Like

Here are examples of IPv6 from Cloudflare ASN I see in the HTTP header CF-Connecting-IP:

  • 2a09:bac2:4228:ebe::178:149
  • 2a09:bac3:422f:d2::15:3a8
  • 2a09:bac2:1c31:2be::46:50
  • 2a09:bac3:4228:d2::15:358

I see (AS13335 Cloudflare, Inc. BGP Network Information - BGPView) that those are from ranges fro Cloudflare WARP. Is my assumption that somebody is routing trafic throught this service to my web correct? So far looks like that…

WARP is similar to a VPN. It’s normal to see client IP addresses from it, for any end-users who have the WARP client installed on their computer or phone.

1 Like

Yeah, I actually was not aware at all that Cloudflare has such service.

It makes more sense now. On the other hand I can’t block this traffic, because using such service is relevevant in some cases.

There’s no reason to block it. It doesn’t break geolocation so blocking by things like country will still work.

I sadly didn’t put it into initial post, my bad.

The vast majority of traffic I am getting from the WARP is pure spam. So this is the reason I am elaborating why to block the traffic or not.
Clearly somebody is using the service to bypass ip/asn blocking on my site.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.