Transform rule to restore X-Forwarded-For?

99kimboslice · March 26, 2022, 1:02am

Is there some way to restore the original X-Forwarded-For (and x-real-ip) header on cloudflares side?

Or some way to have Cloudflare leave headers alone? Using IIS

Rewriting my apps just to recognize the “CF-Connecting-IP” header is not an acceptable solution.

Why does Cloudflare rewrite these headers to begin with? seems to annoy more people than it helps.

Judge · March 26, 2022, 3:23am

Cloudflare supports X-Forwarded-For by default. It only “overrides” it by adding the actual connecting IP to the header, as the protocol requires, so if a client is using multiple compliant proxies, an X-Forwarded-For of 192.0.2.1, 192.0.2.2 will be changed to 192.0.2.3, 192.0.2.1, 192.0.2.2. In general, Cloudflare recommends against this header because of the format (from here):

To restore the original visitor IP address at your origin web server, Cloudflare recommends that your logs or applications look at CF-Connecting-IP or True-Client-IP , instead of X-Forwarded-For , since CF-Connecting-IP and True-Client-IP have a consistent format containing only one IP.

As for X-Real-Ip, you should be able to do it like so, using ip.src:

99kimboslice · March 26, 2022, 4:39am

Thanks for the input!

After doing so I’m still seeing the proxy’s IP in the x-real-ip header, allowed some time just in case it takes a while for the rule to take effect

It seems that Cloudflare also overwrites the client-ip header, I suppose a similar rule should work, but it doesnt seem to

Suggestions?

Judge · March 26, 2022, 4:57am

If it’s not changing then that’s the IP Cloudflare is setting. Here’s an echo service: https://httpbin.workers.works/headers, it lists the x-real-ip Cloudflare is sending as my real client IP address. If you really are seeing a Cloudflare proxy IP address then it might be getting overridden somewhere else in your stack.

If you mean True-Client-Ip this is specifically an enterprise-only feature. This is an extremely old, non-standard header that should be avoided at all costs.

Some Enterprise customers with legacy devices need True-Client-IP to avoid updating firewalls or load-balancers to read a custom header name.

99kimboslice · March 26, 2022, 5:07am

Edit; figured out a way to fix this on the inbound proxy rules

If your app recognizes some other header like X-Forwarded-For then just replace HTTP_X_CLIENT_IP with HTTP_X_FORWARDED_FOR

<serverVariables>
    <set name="HTTP_X_CLIENT_IP" value="{HTTP_CF_CONNECTING_IP}" />
</serverVariables>

You will have to add these as allowed server variables

system · April 10, 2022, 5:07am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.