Other non-published CloudFlare IPs in X-Forwarded-For header?

We’re using Nginx behind an ALB on AWS, with some traffic routed through Cloudflare. Because our Nginx server doesn’t necessarily know which traffic has been routed through Cloudflare, we’re needing to use the X-Forwarded-For header (which AWS ALB’s use) rather than relying on the CF-Connecting-IP header.

We’ve set up Nginx to use real_ip_header X-Forwarded-For and set_real_ip_from with the various IPv4 and IPv6 IPs using the IP subnets from this page: https://www.cloudflare.com/en-ca/ips/

The problem is, we’re seeing other Cloudflare IPv6 IPs in our webserver logs from ranges/subnets that are NOT published on that page. I’m assuming what’s happening is that the request is being routed through multiple Cloudflare nodes before exiting Cloudflare through one of the published subnets, but because the other non-published IPs are not included in our set_real_ip_from directives, our Nginx servers are taking those IPs as the client IP.

For instance, one request in our Nginx logs is showing as coming from 2a09:bac2:13da:119::1c:25d, likely from the X-Forwarded-For header. A reverse lookup shows that IP as being owned by “Cloudflare, Inc”. However, that IP is not in the subnets listed here: https://www.cloudflare.com/ips-v6

Because that subnet is not in our set_real_ip_from directives, our server assumes that is the client IP, which is not the case.

Is there a solution for this? Is there somewhere else that I can get a list of subnets that Cloudflare actually owns/uses, aside from the few they’ve published? Or am I mistaken about how this should work?


That IP address is used by Cloudflare for VPN type services, and represents the end user address. It is the “real IP” in terms of what you are doing.


Oh shoot, I totally forgot about those Cloudflare services. That makes sense! Glad to know it’s not a configuration error on my end. Thanks for the heads-up!


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.