X_FORWARDED_FOR IPv6


#1

I have a firewall rule to whitelist a URL and additionally have been using IP whitelist to allow users to access the resource. I have a script setup for the user to go to that reveals their IP and X_FORWARDED_FOR header so I know what IP to whitelist. The IP is cloudflare’s obviously and usually the forwarded header is a IPv4 address. I have one client who shows a IPv6 address in the forward header and it changes every day at random making it impossible to allow them to access the resource. Strange thing is when I send them to something like http://www.whatsmyip.org it shows the same IPv4 address each day. I have also attempted to whitelist the IPv4 address without luck.

What is the workaround here?


#2

Since the one client has a dynamic IP and if purchasing a static IP isn’t an option, you may have to consider allowing all IP’s from the given ISP using the Autonomous System Number.


#3

Relevant article:

Why it keeps changing: Most ISPs assign a single IPv4 address to each customer, but due to the shrinking number of IPv4 addresses available, they are starting to rate them less and less. This means it’s generally fine to whitelist an IPv4 since it likely won’t rotate too often, depending on the customer’s ISP. But, in the case of IPv6, there are 2^128 available addresses so based on RFC 6177 ISPs are recommended to assign customers /56 blocks, effectively giving each customer 256 subnets and 4 sextillion addresses (although most are going smaller, to /64 blocks which still provide a generous 8 quintillion).

Whitelisting the IPv4 doesn’t work because it’s connecting over IPv6, so the IPv4 isn’t provided to your server. My recommended solution is to temporarily disable IPv6 by using the API, or whitelist the user’s IPv6 /64.