Missing CF-IPCountry header, but do have all other Visitor headers?

I’m noticing an odd issue with the “Add visitor location headers” Managed Transform rule.

For whatever reason, I’m getting the visitor headers I’d expect, as described here https://developers.cloudflare.com/rules/transform/managed-transforms/reference/#http-request-headers, but incoming requests are missing the cf-ipcountry header.

Note, I do have “IP Geolocation” enabled at the Network level.

Since I’m seeing cf-postal-code, cf-region, etc, I’m pretty stumped at the lack of cf-ipcountry. Any ideas? I’d appreciate any insight.

Here’s a dump of the incoming headers

{
   "x-forwarded-proto":"https",
   "x-forwarded-port":"443",
   "accept-encoding":"gzip",
   "cf-visitor":"{\"scheme\":\"https\"}",
   "cf-ipcity":"San Jose",
   "cf-ipcontinent":"NA",
   "cf-iplatitude":"37.18350",
   "cf-iplongitude":"-121.77140",
   "cf-metro-code":"807",
   "cf-postal-code":"95141",
   "cf-region":"California",
   "cf-region-code":"CA",
   "cf-timezone":"America/Los_Angeles"
   "cf-ew-via":"15",
   "cdn-loop":"cloudflare; subreqs=1",
   "accept":"text/html,*/*",
   "user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.0.0 Safari/537.36"
}

Type the IP address in here:

https://www.maxmind.com/en/geoip2-precision-demo

The Country field may be missing.

1 Like

Thanks for the tip!

I plugged in the cf-connecting-ip of both my request and a co-worker’s located in Brazil, and they appear to be validly mapped:

So interestingly enough, I created a custom header modification (dynamic) that pulls from ip.src.country, which should be set as the cf-ipcountry header, and I now see my custom header with the country. Very odd! Happy this works, but still head-scratching.

{
   "x-country-test-header":"BR",
   "cf-ipcity":"BrasÃlia",
   "cf-ipcontinent":"SA",
   "cf-region":"Federal District",
   "cf-region-code":"DF",
   "cf-timezone":"America/Sao_Paulo",
   ...other visitor headers
}

Do you have any other Geo rules set? That’d be weird if your combination of Zone IP Geolocation setting and Mangaged transform were stepping on each other’s feet.

It sorta looks looks like this is going through a Worker. Any issues for requests not going through a Worker?

1 Like

Interesting; we do have more than one country-based WAF rule in effect. For the sake of testing, I’ll remove these in our staging workspace and evaluate the outcome. And you’re correct about the requests getting piped through a worker, but it’s ultimately just a passthrough that we’re in the process of deprecating as we’ve strangled all functionality to downstream systems. I appreciate the tips, this definitely give me something to check.

2 Likes