It seems like there is a discrepancy on CloudFlare between the documentation and what’s actually happening on our servers…
The page above states that if no x-forwarded-for header is found CloudFlare just adds the origin IP to the field.
It then goes on to state that “if an X-Forwarded-For header was already present in the request to Cloudflare, Cloudflare appends the IP address of the HTTP proxy to the header”.
It then goes on to give an example where the field ends up looking as expected from the description:
X-Forwarded-For: [origin-ip],[existing data]
(notice a comma and no spaces)
This means I should be able to white list IP addresses based on the first IP address that CloudFlare provides as this would be the origin address and couldn’t be forged by a malicious user.
Unfortunately what we seem to be seeing on the server is:
X-Forwarded-For: [existing data],[origin-ip], [cloudflare-ip]:[cloudflare-port]
(notice commas and space before cloud flare ip)
Because of the order of the data it makes white listing IP addresses much more difficult as users can add fake IP addresses into the existing data and filtering on the end of the data is difficult as CloudFlare has millions of IP addresses and I can’t tell if they will insert multiple cloudflare IP addresses at the end of the string
Can any one offer any advice on why the article and what we are seeing are different and what the correct header should be?