X-Forwarded-For header not included in CF request to origin server

The X-Forwarded-For header is not being included in Cloudflare’s request to the origin server. The Cf-Connecting-IP header is being included, but I need the X-Forwarded-For header on incoming traffic, to configure Apache to parse out the visitor’s IP for my server logs.

Everywhere I have read about X-Forwarded-For, I see that it’s supposed to be included in the request.

However, I am seeing that the X_Real_IP header is showing CF’s IP – rather than the visitor’s IP as expected – so that might be why X-Forwarded-For is not being included? If so, that could be a bug?

I just ran a quick test and did receive that header. I’d triple check if you didnt maybe simply miss the header.

Also, why would CF-Connecting-IP not work? All you need to do is configure mod_remoteip for it.

1 Like

thanks for checking, not sure why I’m not seeing it. I’m just using phpinfo() in a php file to test. I also tested with getallheaders(), and not seeing it show up there, either.

yes, mod_remoteip would work with CF-Connecting-IP, but I’m on Bluehost shared hosting. I don’t know yet if I have any control over enabling or configuring mod_remoteip. I will check on that next, as I can’t figure out why the other header isn’t coming through.

thanks again.

I’d test with var_dump($_SERVER['HTTP_X_FORWARDED_FOR']);

Alright, fair enough. I’d probably contact the host and ask if they have a solution for a site hosted behind Cloudflare. Maybe they have something out of the box. If not, would you record the IP addresses additionally? Accessing CF-Connecting-IP should work in the same way.

1 Like

I will try. Thank you. I’ll post back here in a day or two when I know more.

The var_dump test returned null, so it’s just missing for some reason. I checked all the different settings at CF, to see if something might interfere with it, and switched some settings back-and-forth, but none of the CF settings seem to have anything to do with that header being sent or not. I guess I can live with that mystery, and maybe Bluehost will have some good news.

Could it be your host is filtering out that header? You do receive CF-Connecting-IP, dont you? Do you have the possibility to point another host record to another server and check if you receive that header there?

yes, here is the list of headers that I get. I don’t have a site at any other host, if that is what you mean by testing elsewhere.

Accept:
Accept-Encoding:
Accept-Language:
Cache-Control:
Cf-Connecting-Ip:
Cf-Ipcountry:
Cf-Ray:
Cf-Visitor:
Cookie:
Host:
Mod-Rewrite:
Pragma:
Upgrade-Insecure-Requests:
User-Agent:
X-Cache-Req:
X-Forwarded-Proto:
X-Real-Ip:

you could be right. Bluehost might be stripping it out for security reasons.

I assume X-Real-Ip might contain the same value. Cant you configure whatever you want to configure to use either of the two other headers, Connecting or Real?

That’s what’s weird: X-Real-Ip should be the visitor’s IP, but it’s CF’s IP, instead. That was unexpected.

Yeah, it’s not a big deal to me at all. I was just messing around with my cPanel Apache logs, and thought I would start trying to work on it. When I have rogue visitors, adding lots of stuff to the shopping carts, etc., it’s easiest to use cPanel’s Apache logs to locate their IPs.

Yes, Cf-Connecting-Ip is the correct IP value, so if I need to do something, I can figure something out with Cf-Connecting-Ip, for getting logs. I already did that with my chat software on the site, so it will grab IPs from Cf-Connecting-Ip instead of REMOTE_ADDR.

If I stumble on a solution, I will post back here. Thanks for help tonight.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.