Hello,
On a few number of requests made to my server, I get Cloudflare’s IP in the X-Forwarded-For header.
I tried to replicate it without success. If I change the header, CF will only append my IP to the previous value.
This is not coming from Always Online (I mean, I do get requests from Always Online with CF’s IP but they are not the one concerned).
They nearly always come from people ending up being banned for spamming, scamming, …
NGINX logs with logging X-Forwarded-For
log_format cloudflare '$http_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
When I do it:
2405:8100:8000:5ca1::196:1e15,<redacted>- - [08/Dec/2019:18:19:19 +0100] "GET / HTTP/1.1" 200 33387 "-" "<redacted>" "-"
When I receive a request:
2405:8100:8000:5ca1::13e:238c - - [04/Dec/2019:19:04:48 +0100] "GET / HTTP/1.1" 200 29190 "-" "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0" "-"
These request represent less than 0.01% of the request made to my website, yet they are often linked to problems.
Requests with CF as X-Forwarded-For grouped by day:
3 21/Jul
1 22/Jul
36 27/Jul
9 04/Aug
4 22/Aug
1 23/Sep
19 24/Sep
3 25/Sep
1 26/Sep
2 02/Oct
1 05/Oct
10 08/Oct
5 10/Oct
11 21/Oct
3 03/Nov
8 15/Nov
191 16/Nov
12 21/Nov
135 28/Nov
356 03/Dec
414 04/Dec
1 06/Dec
Fishy indeed, how do they do it? I use a deny all / allow CF’s ips so I don’t think they can request anything directly on the origin server. Moreover, the software above checks for Cloudflare’s IP before trusting X-Forwarded-For. And it logs Cloudflare’s IP too.
How is it possible?