Request with last user CF-Connecting-IP/-Country by websocket connection

lam.hoang · March 21, 2021, 5:42am

We’re using nginx as proxy server.

For the first connection, the IP/Country is forwarded by websocket connection/disconnection correctly. But after that, the IP/Country will be forwarded by the last user for Request from user.

E.g. 2 users connect to our system. User A hat IP “A” and the country “CA”, User B hat the IP “B” and the country “CB”.
A connects firstly to our server. The IP “A” and country “CA” were forwarded correctly.
B connects then to our server. The IP “B” and country “CB” were forwarded correctly too.

Now, the issue comes: All of request from A & B will be forwarded to our websocket server with only the IP/Country of B: IP “B” and country “CB”.

Until a new user © come or A disconnects his websocket connection. The IP & Country will be changed with the last connection.

Does anybody now how I can solve it?

fritexvz · March 22, 2021, 12:26am

What headers are you passing by at your Nginx origin?

Moreover, have you applied this at your origin:

In your /etc/nginx/nginx.conf, for http{} block you should have:

http {

        # CloudFlare IP
        set_real_ip_from 103.21.244.0/22;
        set_real_ip_from 103.22.200.0/22;
        set_real_ip_from 103.31.4.0/22;
        set_real_ip_from 104.16.0.0/12;
        set_real_ip_from 108.162.192.0/18;
        set_real_ip_from 131.0.72.0/22;
        set_real_ip_from 141.101.64.0/18;
        set_real_ip_from 162.158.0.0/15;
        set_real_ip_from 172.64.0.0/13;
        set_real_ip_from 173.245.48.0/20;
        set_real_ip_from 188.114.96.0/20;
        set_real_ip_from 190.93.240.0/20;
        set_real_ip_from 197.234.240.0/22;
        set_real_ip_from 198.41.128.0/17;
        set_real_ip_from 2400:cb00::/32;
        set_real_ip_from 2405:b500::/32;
        set_real_ip_from 2606:4700::/32;
        set_real_ip_from 2803:f800::/32;
        set_real_ip_from 2c0f:f248::/32;
        set_real_ip_from 2a06:98c0::/29;

        real_ip_header CF-Connecting-IP;
        # real_ip_header X-Forwarded-For;

        ...

        map $remote_addr $ip_anonym1 {
          default 0.0.0;
          "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
          "~(?P<ip>[^:]+:[^:]+):" $ip;
        }

        map $remote_addr $ip_anonym2 {
          default .0;
          "~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
          "~(?P<ip>[^:]+:[^:]+):" ::;
        }

        map $ip_anonym1$ip_anonym2 $ip_anonymized {
          default 0.0.0.0;
          "~(?P<ip>.*)" $ip;
        }

        log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
        '"$request" $status $body_bytes_sent '
        '"$http_referer" "$http_user_agent"';

        ...

For Websocket, I hope you use WSS and going over HTTPS, and proxying over a compatible port with Cloudflare, right?

system · March 27, 2021, 12:25am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.