Workers always pass "CF-Connecting-IP: 2a06:98c0:3600::103"

user7996 · July 14, 2020, 7:48am

Hi all,

It started on 13 July about 11:15 am UTC when workers started to pass static IP in HTTP header to the origin server, regardless of true client IP, even with IPv4.

"CF-Connecting-IP: 2a06:98c0:3600::103

Even when I directly inject header “CF-Connecting-IP” with the correct IP address I still have from the incoming request, it’s overwritten later by Cloudflare. True-Client-IP is passed correctly:

  let ip = request.headers.get('CF-Connecting-IP')
  let headers = new Headers()
  headers.append( 'True-Client-IP', ip)
  headers.append( 'CF-Connecting-IP', ip)
  let originRequestParams = { method: "POST", headers }
  const originRequest = new Request( url, new Request( request, originRequestParams))

Does anyone know what caused this change?

winterstephane · July 16, 2020, 11:14am

Same here,

I just noticed the same issue on my end, I used to be able to see the client IP before, and it changed a few days ago, and now I also get this one every time: 2a06:98c0:3600::103

adaptive · July 16, 2020, 12:36pm

I don’t know the cause but “CF-” headers shouldn’t be manipulated.
I believe that changing them can create an attack vector.
If you wish to manipulate data and pass to your server use “x-ip” header or something that is only know to you.