CD
Cloudflare Developers3mo ago
Pato

can CF-Connecting-IP be faked?

Hey everyone, I wanna know can CF-Connecting-IP be faked like "X-Forwarded-For"?, in other words: How does Cloudflare know customer IP? and on which layer does it rely?
15 Replies
Cyb3r-Jak3
Cyb3r-Jak33mo ago
It is the IP that connected to Cloudflare’s edge which is the header. It cant be faked because it will always be overridden and isn’t possible to be edited through any Cloudflare process. But also just because a request has the connecting IP header doesn’t mean it came from Cloudflare. People can spoof the header.
Pato
Pato3mo ago
whitelisting cloudflare IPs only should solve this problem
Cyb3r-Jak3
Cyb3r-Jak33mo ago
Yes it would
Pato
Pato3mo ago
I get that, but on which TCP/IP layer does it figure out a customer's IP (I hope not the application layer, right?) yeah yeah, but I just wanna make sure that it does not rely on the headers to figure out my IP like X-Forwarded-For or any other param when the packet arrives, how does it figure out my IP? is this a better question? like how does it know this is Pato's IP? on which base does it rely on? located in? the internet layer? yeah I know that, exactly thats why im hoping it does not rely on the application layer
Cyb3r-Jak3
Cyb3r-Jak33mo ago
The only place where an IP is guaranteed is the internet layer.
Pato
Pato3mo ago
so? the internet layer, right?
Cyb3r-Jak3
Cyb3r-Jak33mo ago
Yes
Pato
Pato3mo ago
any document?
Cyb3r-Jak3
Cyb3r-Jak33mo ago
On what? The TCP/IP model?
Pato
Pato3mo ago
cloudflare grabbing user IP from the internet layer
Cyb3r-Jak3
Cyb3r-Jak33mo ago
Because there’s no other place to grab it?
Pato
Pato3mo ago
ur right, it is cloudflare afterall, I would've liked a reassurance @Helpflare what do you think?
Cyb3r-Jak3
Cyb3r-Jak33mo ago
I mean where else do you think they could grab the IP from?
Chaika
Chaika3mo ago
helpflare is a bot lol
radakul
radakul3mo ago
Pato, you may want to look into Wireshark to better understand what IP's are transiting your network. It sounds like Chaika and Cyber are both giving you a clear answer, but the understanding needs to be expanded around how de/encapsulation works for packets/frames as they move up and down the OSI model "stack" X-Forwarded-For (and similar headers) are in a higher layer of the stack, IP's are lower. So figure out which portion of your question you're trying to elaborate on, which will help folks answer the question more correctly.
Want results from more Discord servers?
Add your server
More Posts
unstable_dev wrangler authenticationHey there, I'm using https://developers.cloudflare.com/workers/wrangler/api/#unstable_dev for testinInternal Server Error (Code: 1000) There was an error enabling ImagesHello, I can not access Images feature of cloudflare, although I have made paymentHey I wanted to setup billingHey I wanted to setup billing notifications when my workers hit a limit - number of requests or CPU Pages app meltdown - internal error at functionsWorkerHi, my pages app is an Angular app with functions (Hono). It has been working fine for a long timeCache Rules ProblemI set a Cache Rules for cache only 404 response code but it cache for 200 and 404 response code i nWorkers Analytics Engine - how to enable?Documentation indicates enabling Analytics Engine via: - Go to Workers & Pages. - In Overview, find about cf loadbalacner.if I am using cf loadbalacner is there any chance people can know the ip of my server from my domainDownloading SSL CertificateAt my work, our IT guy asked for the SSL Certificate. Is there a quick way to download it? I checkedtarkovhelp getting unblocked on tarkovJust deployed a new version of my website.The internal links work. But all the Custom Domains stoped working at the same time. DNS_PROBE_POSS