We’re using Nginx behind an ALB on AWS, with some traffic routed through Cloudflare. Because our Nginx server doesn’t necessarily know which traffic has been routed through Cloudflare, we’re needing to use the X-Forwarded-For header (which AWS ALB’s use) rather than relying on the CF-Connecting-IP header.
We’ve set up Nginx to use real_ip_header X-Forwarded-For and set_real_ip_from with the various IPv4 and IPv6 IPs using the IP subnets from this page: https://www.cloudflare.com/en-ca/ips/
The problem is, we’re seeing other Cloudflare IPv6 IPs in our webserver logs from ranges/subnets that are NOT published on that page. I’m assuming what’s happening is that the request is being routed through multiple Cloudflare nodes before exiting Cloudflare through one of the published subnets, but because the other non-published IPs are not included in our set_real_ip_from directives, our Nginx servers are taking those IPs as the client IP.
For instance, one request in our Nginx logs is showing as coming from 2a09:bac2:13da:119::1c:25d, likely from the X-Forwarded-For header. A reverse lookup shows that IP as being owned by “Cloudflare, Inc”. However, that IP is not in the subnets listed here: https://www.cloudflare.com/ips-v6
Because that subnet is not in our set_real_ip_from directives, our server assumes that is the client IP, which is not the case.
Is there a solution for this? Is there somewhere else that I can get a list of subnets that Cloudflare actually owns/uses, aside from the few they’ve published? Or am I mistaken about how this should work?
Thanks!