13

Cloudflare changes the IP addresses of incomming requests because Cloudflare is a middleware between my website and the Internet, a proxy.

How should I get the initial IP address of the request, not Cloudflare its IP address. I heard about the mod_cloudflare but does this plugin only updates the IP address in my logs (?) And I didn't find a version for Nginx.

Luca Kiebel
  • 9,790
  • 7
  • 29
  • 44
Michiel
  • 1,713
  • 3
  • 16
  • 34

2 Answers2

23

Cloudflare sets the CF-Connecting-IP and the X-Forwarded-For headers on every request

You can simply get the IP from their special header:

let ip = req.headers['cf-connecting-ip']

If you expect requests outside of Cloudflare, you can get these IPs the following way:

let otherIp = req.headers['x-forwarded-for'] || req.connection.remoteAddress

Though, be wary, that other Proxies (like Nginx) will also set the x-forwarded-for header.

Luca Kiebel
  • 9,790
  • 7
  • 29
  • 44
  • Works for third party website requests, I also added my own website to the website and this is the IP that's returned from the `req.cf_ip`: 2a02:1810:9410:7b00:8829:fc7f:b81f:10f, any idea what this is? – Michiel Aug 26 '18 at 14:45
  • An IPv6 address – Luca Kiebel Aug 26 '18 at 14:45
  • No, you can't transform them to IPv4 addresses, it's a different Version of the internet protocol, get used to them ;-) – Luca Kiebel Aug 26 '18 at 14:48
  • If I use `req.body.remoteAddress` then it's a ipv4 address. Isn't there a way to check if the response is ipv4 or ipv6 in Nodejs? – Michiel Aug 26 '18 at 14:54
  • You can check if it contains a dot using `String#includes`, if it does, its an IPv4 address – Luca Kiebel Aug 26 '18 at 14:57
  • Seems legit. Thank you for the help. – Michiel Aug 26 '18 at 15:08
  • For some odd reason I don't receive any requests. I made a post to give some more information about what's going on https://stackoverflow.com/questions/52034699/nodejs-only-options-request-is-send-to-the-rest-api-post-or-get-doesnt-follo – Michiel Aug 27 '18 at 12:20
  • 2
    Wouldn't this expose you to spoofing from connections that are not coming through Cloudflare? Hence Cloudflare recommends limiting to connections from their IPs: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs – ewall Sep 02 '21 at 21:04
  • @ewall sure, if you only expect connections through Cloudlfare you should not look for other IPs. I have edited the answer accordingly, thanks – Luca Kiebel Sep 04 '21 at 11:20
1

Are you using express? If so you can use the cloudflare-express middleware package to retrieve the IP addresses you need.

var cloudflare = require('cloudflare-express');
...
var express = require('express');
var app = express();
...
app.use(cloudflare.restore({update_on_start:true}));

Then the user's original address appears on req objects as cf_ip.

You may also, if your express app is behind a typical nginx reverse proxy, use express's trust proxy setting.

For example:

    app.set( 'trust proxy', 'loopback' ); //trust localhost reverse proxy

Other request-processing frameworks most likely have their own packages to do similar things.

O. Jones
  • 103,626
  • 17
  • 118
  • 172
  • Works for third party website requests, I also added my own website to the website and this is the IP that's returned from the `req.cf_ip`: 2a02:1810:9410:7b00:8829:fc7f:b81f:10f, any idea what this is? – Michiel Aug 26 '18 at 14:45