Strange HTTP0-requests from CF ip range without

Hello, can anyone explain me, plz, why my nginx behind CF get a lot of strange HTTP requests with empty CF-Connecting-IP and X-Forwarded-For from CF ip ranges? At the same time normal requests contain these headers. What i mean strange: - - [15/Jun/2021:11:14:51 +0300] "REGISTER%5BLOGIN%5D=%2B79282895355&REGISTER%

It CF ip, but very strange HTTP requests, without method.

That’s certainly strange. It could be spoofed IP addresses. Have you configured your server firewall to block requests not coming from Cloudflare IP addresses?

Nope, but thats requests definetly not from spoofed ip’s (checked that right now with tcpdump). And it’s rate pretty good - about 20-30 per second

I note you stated you see x-forwarded-for and cf-connecting-ip - you should be a bit cynical here - anybody can add whatever HTTP request headers they like and send them to your server if your origin is open to the world. Are you sure that the TCP connection is made from a Cloudflare IP? If so, then it would be good to log headers such as cf-ray to get more information about where this request came from.

1 Like

I saw this headers only for valid requests, no problem here, all works as it shoud.

But at the same time i saw a lot HTTPS requests from CF ip’s (check that with tcpdump) without any CF’s headers - no http_cf_ray, http_cf_connecting_ip or http_x_forwarded_for. Seems, like they come not from CF, but now i block with firewall any https trafic from not CF hosts, and all the same - a lot of strange requests.

One more detail i investigate - add protocol to nginx log and it tell me it’s not http

HTTPS: PORT:443 PROTO:- - - [17/Jun/2021:10:06:27 +0300] “REGISTER%5BLOGIN%5D=%2B79518934297&REGISTER%5BPERSONAL_PHONE%5D=%2B7951
%D1%82%D1%8C%D1%81%D1%8F” 400 150 “-” “-” “-”

It’s not clear what the IP is you’re logging here - is it the client TCP IP or x-forwarded-for or some other HTTP request header? The headers can easily be falsified.

All of this becomes irrelevant if you use a Cloudflare Tunnel and close your firewall to incoming TCP connections - that will secure the origin from spurious incoming traffic. Alternatively you could use authenticated origin pulls:

It’s not x-forwarded-for or some other header, it’s definitly TCP, checked this with tcpdump

Could you provide a TCP dump? You can send it to me privately if you prefer.

You’d either have to initiate a private message thread here (since you have sufficient access level), or your @cloudflare email address.

1 Like

d’oh! Thanks for the tip - I’ve DM’d @lukin_s now :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.