Private IP Subnet (172.16.0.0/12) in CF_CONNECTING_IP

Sometimes I get requests with private IP in the CF_CONNECTING_IP connecting headers. This requests are coming from CF’s IP (sites are not accessible outside those addresses anyway). Looking at the rest of the headers, looks like the requests are trying to exploit some bugs in UserAgent string parsing.

As far as I am aware, spoofing of the real address should not be possible. Should I contact someone from CF about this?

[Removed answer suggested Pseudo IPv4 as potential cause]

I don’t think so. I don’t use the “Pseudo IPv4” option, I am getting normal IPv6 addresses in the header when the requests are from v6 origins. Besides, the invalid addresses which show up at my endpoint are from the 172.16.0.0/12 subnet.

Can you give a log line from your server with the offending address shown?

Well, I do not log the headers in my front-end Web server anyway. I do not want to expose the host or URLs either. Those are most important headers:

{
  "HTTP_X_REAL_IP": "162.158.102.130",
  "HTTP_CF_VISITOR": "{\"scheme\":\"https\"}",
  "HTTP_CF_IPCOUNTRY": "XX",
  "HTTP_X_FORWARDED_FOR": "162.158.102.130",
  "HTTP_CF_CONNECTING_IP": "172.16.45.227",
  "HTTP_X_FORWARDED_PROTO": "https"
}

Hm, I’m thinking that one of your users are accessing your website through Cloudflare WARP…

CF-Connecting-IP cannot be tampered, because it will be overriden by Cloudflare’s edge. That’s what I can think right now.

Something similar has come up before. Potentially an interaction with HTTP/3 on Warp+ connections. @kkrum might be able to shed some light on this.

1 Like

I get the same issue:

Michael is right though, it only happens over HTTP/3. It shows my IPv4 or IPv6 fine over http/2. (ex. 1.1.1.1/cdn-cgi/trace doesn’t seem to enable http/3, so it always shows the right IP)

This is indeed an active bug on our side with WARP. I’ll follow up with the development team at our standup in the morning and see if there is an updated ETA.

5 Likes

Thanks a lot!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.