Requests with empty HTTP_CF_CONNECTING_IP

We are often scanned/checked for vulnerabilities and from log we can see requests look like this:

2020-01-28 14:19:59 Content type: application/x-www-form-urlencoded
2020-01-28 14:19:59 Request content: <?=md5("phpunit")?>
2020-01-28 14:19:59 HTTP referer:
2020-01-28 14:19:59 User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
2020-01-28 14:19:59 HTTP_CF_CONNECTING_IP:
2020-01-28 14:19:59 HTTP_CF_IPCOUNTRY:
2020-01-28 14:19:59 Query: path=vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
2020-01-28 14:19:59 REMOTE_ADDR: 5.101.0.209
2020-01-28 14:19:59 REMOTE_HOST:

I have added address 5.101.0.209 to firewall in CloudFalre but requests are still coming through (somehow).

I have following questions

  1. How can requests come via CloudFlare but variable HTTP_CF_CONNECTING_IP is empty?
  2. How would you recommend to defend against such scanning?
  3. Why CloudFlare firewall does not block such request, what could be the reasons?

Thanks.

Note the client address. These are not requests coming via Cloudflare, but direct requests instead. You’d need to configure your server’s firewall to accept only Cloudflare connections.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.