X-Forwarded-For sometimes contains only Cloudflare's IP instead of the client IP


On a few number of requests made to my server, I get Cloudflare’s IP in the X-Forwarded-For header.
I tried to replicate it without success. If I change the header, CF will only append my IP to the previous value.

This is not coming from Always Online (I mean, I do get requests from Always Online with CF’s IP but they are not the one concerned).
They nearly always come from people ending up being banned for spamming, scamming, …

NGINX logs with logging X-Forwarded-For

log_format cloudflare '$http_x_forwarded_for - $remote_user [$time_local] '
                              '"$request" $status $bytes_sent '
                              '"$http_referer" "$http_user_agent" "$gzip_ratio"';

When I do it:

2405:8100:8000:5ca1::196:1e15,<redacted>- - [08/Dec/2019:18:19:19 +0100] "GET / HTTP/1.1" 200 33387 "-" "<redacted>" "-"

When I receive a request:

2405:8100:8000:5ca1::13e:238c - - [04/Dec/2019:19:04:48 +0100] "GET / HTTP/1.1" 200 29190 "-" "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0" "-"

These request represent less than 0.01% of the request made to my website, yet they are often linked to problems.

Requests with CF as X-Forwarded-For grouped by day:

      3 21/Jul
      1 22/Jul
     36 27/Jul
      9 04/Aug
      4 22/Aug
      1 23/Sep
     19 24/Sep
      3 25/Sep
      1 26/Sep
      2 02/Oct
      1 05/Oct
     10 08/Oct
      5 10/Oct
     11 21/Oct
      3 03/Nov
      8 15/Nov
    191 16/Nov
     12 21/Nov
    135 28/Nov
    356 03/Dec
    414 04/Dec
      1 06/Dec

Fishy indeed, how do they do it? I use a deny all / allow CF’s ips so I don’t think they can request anything directly on the origin server. Moreover, the software above checks for Cloudflare’s IP before trusting X-Forwarded-For. And it logs Cloudflare’s IP too.

How is it possible?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.