X-Forwarded-For documentaiton seems wrong

I’m observing the same thing as described in an older issue:

X-forwarded-for discrepancy

The documentation in https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers- doesn’t reflect what I am observing. The documentation says:

If an X-Forwarded-For header was already present in the request to Cloudflare, Cloudflare appends the IP address of the HTTP proxy to the header:

The example goes on and lists the origin IP of the client as the first item in the X-Forwarded-For string (separated by commas). On my server, I’m observing that if the client provides an X-Forwarded-For header, the contents of that header will be the first item, not the origin IP.

Is the documentation wrong?

I was able to implement a workaround that consistently sends the “CF-Connecting-IP”, that provides the client (visitor) IP address (connecting to Cloudflare), as the value for X-Forwarded-For to my backend via Nginx. I’m using docker on AWS Elastic Beanstalk. Adding the .config file in my .ebextensions folder for reference to others struggling with the same problem:

   mode: "000644"
   owner: root
   group: root
   content: |
       # HTTPS Server

       map $http_cf_connecting_ip $cloudflare_ip {
           default $http_cf_connecting_ip;
           '' $proxy_add_x_forwarded_for;
       server {
           listen 443;
           server_name localhost;
           ssl on;
           ssl_certificate /etc/pki/tls/certs/server.crt;
           ssl_certificate_key /etc/pki/tls/certs/server.key;
           ssl_session_timeout 5m;
           ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
           ssl_prefer_server_ciphers on;
           location / {
               proxy_pass http://docker;
               proxy_http_version 1.1;
               proxy_set_header Connection "";
               proxy_set_header Host $host;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $cloudflare_ip;
               proxy_set_header X-Forwarded-Proto https;

This topic was automatically closed after 30 days. New replies are no longer allowed.