1

I'm using Cloudflare's Web Application Firewall - WAF. I don't want clients connecting directly to my application server, but once Cloudflare WAF forwards the traffic to the server I would like to know the IP address of the original client. For logging and tracking purposes. The literature documents two headers; CF-Connecting-IP and True-Client-IP.

https://developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers

Strangely, although these two headers ostensibly provide the same information, True-Client-IP requires Enterprise (thousands $$ per month), while CF-Connecting-IP states no such requirement. The difference in pricing between these two features is radical enough to have me question -

  1. Are these actually the same thing?
  2. And second, can I actually use CF-Connecting-IP on my Pro plan?

(And if so, why would Cloudflare be restricting the equivalent header - True-Client-IP - to the enterprise plan? Granted that is not a technical question, but when things don’t make sense, I wonder what it is that I am missing…)

Thanks for your advice!

Yossi G.
  • 939
  • 1
  • 8
  • 22

1 Answers1

0

I have found two Request Headers which are useful to my purpose:

  • CF-Connecting-IP
  • x-forwarded-for

As far as I've seen so far, in all cases, these two headers contain identical values; sometimes the IP is in v4 format, sometimes in v6 format.

(Given that this information is available to us already for free, I'm puzzled why Cloudflare would insist on the Enterprise plan and pricing to provide the same information, which is already available to us, in a header with a different name. But in any case, either of those headers listed above will give you the IP address of the end-user client.)

Yossi G.
  • 939
  • 1
  • 8
  • 22