What is the name of the domain?
undisclosed
What is the issue you’re encountering
I’m getting HTTP requests from CF IP address even in CF Analytics
What steps have you taken to resolve the issue?
Looks to me like a CF bug, so I don’t have steps to try to resolve it.
What feature, service or problem is this related to?
I don’t know
What are the steps to reproduce the issue?
Our server is using CF-Connecting-IP to get the client’s IP address, as described in Cloudflare HTTP request headers · Cloudflare Fundamentals docs
But even though almost all requests in the log do show the client’s IP address, some show Cloudflare IP addresses when performing a IP address lookup on IP address database sites.
For example IP address 2405:8100:8000:5ca1::100:824a is reaching the server in the CF-Connecting-IP header, but is owned by CF according to https://www.ip2location.com/demo/2405:8100:8000:5ca1::100:824a
The ASN (AS133877) is owned by Cloudflare. At this point, you may be thinking that our server is doing something wrong with CF-Connecting-IP, but these CF IP address are also visible in the Cloudflare analytics where CF shows them under ASN 0 - -Reserved AS-. See attached 1.png.
When I filter traffic from ASN 0 - -Reserved AS-, it shows that most of the requests have Tor as country. Which usually hit the server as T1 as two letter country code in the CF-IPCountry HTTP request header. The TOP 3 Source IPs from that ASN show normal DSL non-CF IP addresses, but position 4 to 15 all show CF IP addresses:
2405:8100:8000:5ca1::20b:4448
2405:8100:8000:5ca1::22:a3a0
2405:8100:8000:5ca1::228:42a4
2405:8100:8000:5ca1::130:3b45
2405:8100:8000:5ca1::10f:c042
2405:8100:8000:5ca1::123:3738
2405:8100:8000:5ca1::ff:936c
2405:8100:8000:5ca1::4:bc00
2405:8100:8000:5ca1::100:a7
2405:8100:8000:5ca1::3c:2a2
2405:8100:8000:5ca1::7:65d0
2405:8100:8000:5ca1::c8:de36
Upon further investigation, when you use Tor Browser to connect with a CF site, CF will use a CF IPv6 address in both the CF-Connecting-IP header as in the CF analytics.
Are these CF IP addresses setup by CF as TOR exit nodes? Or this a CF bug in which CF is replacing the real TOR exit node IP address with one of it’s own addresses?
Even if CF would run TOR exit nodes, mixing the TOR exit node IP address with a Cloudflare proxy IP address is a problem, because the server should be able to distinguish CF proxy IP addresses and clients addresses when the client should be blocked for whatever reason.
IP Ranges also lists these IPaddresses.
And Cloudflare IPs · Getting started · Learning paths says that those IP addresses should not be blocked. Which basically allows Tor clients to bypass security.
So my question is, why are TOR clients using CF IP addresses?