cloudflare
🐛 header X-Forwarded-For not set correctly for the origin
Describe the bug
Using a cf tunnel (public hostname), a wrong value of X-Forwarded-For is given to the origin when the original request includes that header.
For example, if the original visitor IP address is 203.0.113.1, and the X-Forwarded-For header is included like: curl -v -H "X-Forwarded-For: a,b,c,d,e,f,g" https://whoami.example.com
the origin receives:
Cf-Connecting-Ip: 203.0.113.1
X-Forwarded-For: a,b,c,d,e,f,g,203.0.113.1
To Reproduce Steps to reproduce the behavior: docker compose:
services:
cloudflared:
container_name: cloudflared
image: cloudflare/cloudflared
command: tunnel --no-autoupdate run
env_file: .env_cloudflare
restart: unless-stopped
whoami:
image: "traefik/whoami"
container_name: "whoami"
restart: unless-stopped
setup zero trust tunnel and make curl request like:
curl -v -H "X-Forwarded-For: a,b,c,d,e,f,g" https://whoami.example.com
If it's an issue with Cloudflare Tunnel:
4. Tunnel ID : a449d8a5-0a64-437e-bc33-f9051fbf8452
5. cloudflared config: TUNNEL_TOKEN env variable with the secret token
Expected behavior
the origin should receive: X-Forwarded-For: <VISITOR_IP>, <THIRD_PARTY_CDN_1_IP>, <THIRD_PARTY_CDN_2_IP>
the example should be: X-Forwarded-For: 203.0.113.1,a,b,c,d,e,f,g
(and maybe remove all invalid ip addresses)
Environment and versions
- OS: debian 12
- Architecture: amd64
- Version:
2025.2.0 (Checksum d7e573b235ef4a1cf45d6b837f61094e4a3403c4ef92e1281a8fec3f7f257691)
Additional context https://developers.cloudflare.com/fundamentals/reference/http-headers/ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
