Show XForwardedFor as a column in Firewall logs

We would love to have the XForwardedFor details shown in the Firewall Events Activity Log. At the moment, the IP address is shown. Our Customer uses a reverse proxy so we only get their IP, not the Website User’s IP.

Thanks!

X-Forwarded-For should be the same IP address that would show up in the Events Log. Are you seeing other than this?

Hi.

We are seeing just the two IP addresses for the reverse proxy servers in the firewall events and not the customer xforwardedfor ips unfortunately.

This is the same for “Unique Visitors” on the overview page which shows a really small number of users (it’s just counting the reverse proxy server IPs) instead of the 1000s xforwardedfor site visitor ips.

Thanks!

Wait.

Visitor -> Your customers reverse proxy -> Your public domain?

I am not sure if Cloudflare’s Firewall respects the header i any way. :thinking:

@alexcf

1 Like

I set up a quick subdomain for echoing the x-forwarded-for header and CF will append the real IP to the header:

$ curl https://129354.judge.sh/ -H 'x-forwarded-for: 1.1.1.1'
1.1.1.1,2600:----:----:----:----:----:----:----

(removed my IP)

I assume OP is looking to identify the hop before the proxy to help determine what specific machine on the customers network triggered the WAF rule.

Not sure we log that data anywhere other than enterprise logs today, so not sure it is a matter of exposing a new field to the UI as much as it might require logging new data first.

Will pass the request on to the product team but any more detail OP could provide around the use case/value would potentially be helpful.

3 Likes

Hi. Thanks for taking a look at this.

Yes that’s correct. If we wanted to block a particular visitor from the Website, we would not be able to identify their IP address using the Firewall Activity Log as the only IP we can see in the logs is the reverse proxy.

Appreciate you passing that on to the product team. Thanks again.

1 Like

Ah well to be clear we don’t act on anything other than the connecting IP address in the WAF as the x-forwarded-for values are easily forged. So even if we exposed it, the ability to act on it at the WAF level is somewhat limited. You might be able to do more with Workers or Cloudflare Access or Rate Limiting or Bot Management depending on the exact use case /scenario.

You do have the ability in the Firewall Rules to block by X-Forwarded-For which is exactly what we are after, we just don’t know what the IP address is!

Again, really appreciate you coming back to me so quickly on this. If the product team are able to show in the logs the X-Forwarded-For IP address in the Firewall event logs, that would be fantastic.

Thanks again for your help.

Perhaps the rule

(http.x_forwarded_for contains ".") or (http.x_forwarded_for contains ":")

would work for blocking, v4 addresses would contain a period and v6 would contain a colon. This is assuming your server itself rejects or ignores x-forwarded-for that isn’t a valid IP address, as there’s not an operator for “is set”.

Hi Judge

Our issue isn’t blocking the IP. It’s we have no logs that show what X-forwarded-for IPs are hitting the site unfortunately. So if Cloudflare are able to add in the X-forwarded-for logs to the firewall logs, we are sorted.

Thanks

Hey. Just wondering if the Product Team came back with anything? Thanks