Hi,

I’ve been reviewing a recent attack on a server and it has become clear that Cloudflare does not proxy every request, all of the time. This has behaviour has come unexpectedly to me and seems to defeat the purpose. Can anyone shed any light on this? I believe my settings are pretty standard.

Request 1 (working as expected):

[HTTP_CF_CONNECTING_IP] => REAL_REQ_IP
[HTTP_CF_IPCOUNTRY] => GB
[HTTP_CF_RAY] => 47932895f8297241-AMS
[HTTP_CF_VISITOR] => {"scheme":"https"}
[HTTP_CONNECTION] => Keep-Alive

[HTTP_X_FORWARDED_FOR] => REAL_REQ_IP
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_X_HTTPS] => 1
[REDIRECT_STATUS] => 200
[REMOTE_ADDR] => 141.101.77.228
[REMOTE_PORT] => 29980
[REQUEST_SCHEME] => https
[SERVER_PORT] => 443

Same domain, different page (notice the real REMOTE_ADDR, suggesting that this page is not being proxied)

[HTTP_CF_CONNECTING_IP] => REAL_REQ_IP
[HTTP_CF_IPCOUNTRY] => GB
[HTTP_CF_RAY] => 479314d5bdc814af-AMS
[HTTP_CF_VISITOR] => {\"scheme\":\"https\"}
[HTTP_DNT] => 1
[HTTP_HOST] => skinnybakery.co.uk
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_X_FORWARDED_FOR] => REAL_REQ_IP
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_X_HTTPS] => 1
[REMOTE_ADDR] => REAL_REQ_IP
[REMOTE_PORT] => 26898
[SERVER_PORT] => 443
[SERVER_PROTOCOL] => HTTP/1.1 

Best wishes,

James

Considering you had Cloudflare headers in both requests it would seem as if both requests came through Cloudflare (unless whoever sent that request added these headers manually).

Are you rewriting IP address? If so the second request would be to be expected and the question would be why isnt it being rewritten in the first one. Maybe a configuation glitch.

If you are not, the second request likely did come via a direct request and the headers were added manually. In this case some would be aware of your actual IP address. That would not be Cloudflare related however.

Hi Sandro,

Thank you for your thoughts on this.

I made both of those demo requests through my browser so they have not been forged in any way.

I do not see why the connecting IP address would be rewritten at my end, but I will inspect the traffic at a lower level and report back.

Best wishes,

James

In this case we can almost guarantee both requests went through Cloudflare. Otherwise there wouldnt be the Cloudflare headers.

That would depend on your configuration. I cant comment on that.

Hey Sandro,

Thank you for the quick response.

I have found the solution after your comments. It appears the official Mailchimp for WordPress plugin is blatantly overwriting this global variable. See line 44: https://github.com/mailchimp/mc-woocommerce/blob/master/mailchimp-woocommerce.php

What a terrible piece of code!

Thanks again,

James

Doing this arbitrarily in a “random” sub routine is probably not really ideal, but generally it is a good idea to rewrite the IP address to the client one, otherwise you always end up with Cloudflare’s IP addresses. In case you are using Apache you can use mod_remoteip to do so.

Thank you user3061 for this knowledge keep sharing your knowledge with our community.

This topic was automatically closed after 30 days. New replies are no longer allowed.