"x-forwarded-for" header question


I only see one cloudflare internal IP address in “x-forwarded-for” header if I connect my EC2 with nginx to cloudflare.

If this is how it should be?

I’ve done everything that’s described in “restoring-original-visitor-ips” page for nginx, but I am afraid I cannot get real ip because I am not getting proper x-forwarded-for header.

It looks like according the official documentation from “http-request-headers” page x-forwarded-for should contain, citing “X-Forwarded-For maintains proxy server and original visitor IP addresses.”

If this is a bug? If not then what it could be?

I need help here because it could be not only on my side.

1 Like

I only see reference to that header in the instructions for the long deprecated mod_cloudflare. The current method references the CF-Connecting-IP header. I don’t know if that will make a difference, but hopefully it helps.

1 Like

if I look at $http_CF_Connecting_IP it gives me wrong IP address.
It looks like this is cloudflare internal ip address and it is always changing.

Have you enabled and configured the nginx module: ngx_http_realip_module?


nginx -V 2>&1 | grep -o with-http_realip_module

I’ve spent several days google on all possible solutions

Do you have set_realip_from directives configured for all of the Cloudflare proxy IPs?

You will also need real_ip_header CF-Connecting-IP in your configuration.

I have

    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2a06:98c0::/29;
    set_real_ip_from 2c0f:f248::/32;

    real_ip_header CF-Connecting-IP;
    #real_ip_header X-Forwarded-For;

Have you tried real_ip_recursive to see if it makes a difference?

I am sorry that I don’t have an immediate answer for you. I have only run Apache behind Cloudflare.

^there is a full list actually, I’ve failed to post the whole list here

yes, no difference

Just to be sure, I’ve made a simple express.js server on my personal laptop, point cloudlfare to my personal laptop ip address and still see the same here. There is no real ip address in any header.

So the problem is somewhere before signal gets to any machine I make.

I guess it is because of settings, but I do know what to check.

it could be not something a developer can do.
I mean it could be something like bad realease from cloudflare that needs a fix.

It is not. If it were, the Community would be flooded with posts about it. It can only be a configuration issue on your end.

I have sites behind Cloudflare that use IP based access restrictions on the origin. They prompt for a username and password when accessed from an untrusted IP. If Cloudflare was not sending the actual visitor IPs, I would be facing unexpected password requests every day.

I’ve db checked with completelly different machine and completelly different app.
I took my personal laptop with express.js server versus aws ec2 with nginx.
In this case all headers also had wrong ip address.

I still thinking maybe cloudflare makes somekind of A/B test only for some users and provided me a service that provides me wrong IP address.

for me it is also critical to have correct IP addresses, I will not use cloudflare otherwise. I just started using cloudflare and got on this issue.
I spend several days browsing and looking for possible fix, but did not find anything yet.

Can you provide an example of the full headers that your origin is receiving?

accept-encoding: ‘gzip’
accept-Language: ‘en-US, en; q-0.9, ru; q-0.8’ cdn-loop: ‘cloudflare’ cf-connecting-ip: ‘’
cf-connecting-ipv6: ‘2600:1700:130:b300:8104:32bf: e550: ae8d’ cf-ipcity: ‘redacted’ cf-ipcontinent: ‘NA’ cf-ipcountry: ‘US’ cf-platitude: ‘redacted’ cf-iplongitude: ‘redacted’ cf-metro-code: ‘635’ cf-postal-code: ‘redacted’ cf-pseudo-ipv4: ‘’ cf-ray: ‘redacted cf-region: ‘redacted’ cf-region-code: ‘TX’ cf-timezone: ‘America/Chicago’ cf-visitor: ‘{“scheme” : “http”?’ connection: ‘Keep-Alive’

is not my IP, I also db checked that