cloudflared icon indicating copy to clipboard operation
cloudflared copied to clipboard
verified publisher icon cloudflare

🐛Cloudflared Tunnel Inconsistent CF-Connecting-IP Headers with Tor

Open tn3w opened this issue 9 months ago • 1 comments

Describe the bug When using Cloudflare Tunnel with Tor, there's an inconsistency in how the CF-Connecting-IP and X-Forwarded-For headers are reported. On initial page loads with a new Tor circuit, the headers correctly show the actual Tor exit node IP address. However, when simply reloading the page using the same circuit, the headers change to display a Cloudflare data center IP address instead.

To Reproduce Steps to reproduce the behavior:

  1. Set up a simple HTTP server that displays headers: 
    from http.server import HTTPServer, BaseHTTPRequestHandler

class HeadersHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type', 'text/plain')
        self.end_headers()

        cf_ip = self.headers.get("CF-Connecting-IP", "Not found")
        forwarded_for = self.headers.get("X-Forwarded-For", "Not found")

        response = f"CF-Connecting-IP: {cf_ip}\nX-Forwarded-For: {forwarded_for}"
        self.wfile.write(response.encode())

server = HTTPServer(('127.0.0.1', 8000), HeadersHandler)
print("Server started at http://127.0.0.1:8000")
server.serve_forever()
  2. Run the Python server and expose it with Cloudflare Tunnel: 
    python3 server.py
cloudflared tunnel --url 127.0.0.1:8000
  3. Open the official Tor Browser
  4. Navigate to your Cloudflare Tunnel URL
  5. Click the circuit icon to the left of the URL bar
  6. Select "New Tor Circuit for this site"
  7. Note the CF-Connecting-IP value (should be a legitimate Tor exit node IP)
  8. Click the reload button to refresh the page
  9. Note the CF-Connecting-IP now shows a Cloudflare data center IP (typically an IPv6 address like 2405:8100:8000:5ca1::aa:6487)

Tunnel ID: N/A (using trycloudflare.com domain) cloudflared config: Using default configuration with cloudflared tunnel --url 127.0.0.1:8000

Expected behavior The CF-Connecting-IP header should consistently display the actual Tor exit node IP address across page reloads using the same circuit.

Environment and versions

  • OS: Ubuntu 24.04.2 LTS
  • Architecture: x86_64
  • Version: cloudflared 2025.4.0 (latest as of 2025-04-16)

Logs and errors Not applicable - the issue is with inconsistent header values rather than errors.

Additional context Actual behavior: The CF-Connecting-IP header changes to a Cloudflare data center IP address on page reloads, even when using the same Tor circuit.

When checking the reported IPv6 address (e.g., 2405:8100:8000:5ca1::aa:6487) in IP lookup tools, it shows as belonging to Cloudflare, Inc. and is not a legitimate Tor exit node according to Tor ExoneraTor.

This inconsistency affects:

  1. Security tracking: Site owners cannot reliably track or block malicious Tor users
  2. Geolocation services: Applications depending on accurate location data receive incorrect information
  3. Access control systems: Region-restricted content may be incorrectly allowed or denied
  4. Analytics: Web analytics tools show inaccurate visitor information

Note: This issue might be related to how Cloudflare's edge network processes Tor connections on the server side rather than how the cloudflared software itself handles the connections. The behavior suggests this may be a Cloudflare service-level handling of Tor traffic rather than a bug in the cloudflared client software.

tn3w avatar Apr 16 '25 11:04 tn3w

When utilizing Cloudflare Tunnel in conjunction with the Tor network, an inconsistency arises in the reporting of the CF-Connecting-IP and X-Forwarded-For headers. Initially, upon loading a page with a new Tor circuit, these headers correctly reflect the actual IP address of the Tor exit node. However, upon reloading the page using the same Tor circuit, the headers revert to displaying a Cloudflare data center IP address instead.

Steps to Reproduce Set Up HTTP Server: Create a simple HTTP server that displays the headers.

python Run Copy code from http.server import HTTPServer, BaseHTTPRequestHandler

class HeadersHandler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) self.send_header('Content-type', 'text/plain') self.end_headers()

    cf_ip = self.headers.get("CF-Connecting-IP", "Not found")
    forwarded_for = self.headers.get("X-Forwarded-For", "Not found")

    response = f"CF-Connecting-IP: {cf_ip}\nX-Forwarded-For: {forwarded_for}"
    self.wfile.write(response.encode())

server = HTTPServer(('127.0.0.1', 8000), HeadersHandler) print("Server started at http://127.0.0.1:8000") server.serve_forever() Run the Python Server:

bash Run Copy code python3 server.py Expose the Server with Cloudflare Tunnel:

bash Run Copy code cloudflared tunnel --url 127.0.0.1:8000 Open Tor Browser:

Navigate to your Cloudflare Tunnel URL. Click the circuit icon to the left of the URL bar. Select "New Tor Circuit for this site." Note the CF-Connecting-IP value (should reflect a legitimate Tor exit node IP). Reload the Page:

Click the reload button to refresh the page. Observe that the CF-Connecting-IP now displays a Cloudflare data center IP (e.g., an IPv6 address like 2405:8100:8000:5ca1::aa:6487). Expected Behavior The CF-Connecting-IP header should consistently display the actual Tor exit node IP address across page reloads when using the same Tor circuit.

Environment and Versions OS: Ubuntu 24.04.2 LTS Architecture: x86_64 Cloudflared Version: 2025.4.0 (latest as of 2025-04-16) Logs and Errors Not applicable; the issue pertains to inconsistent header values rather than errors.

Additional Context Actual Behavior: The CF-Connecting-IP header changes to a Cloudflare data center IP address upon page reloads, despite using the same Tor circuit. IP Lookup: The reported IPv6 address (e.g., 2405:8100:8000:5ca1::aa:6487) is identified as belonging to Cloudflare, Inc. and does not correspond to a legitimate Tor exit node according to Tor ExoneraTor. Impact This inconsistency has several implications:

Security Tracking: Site owners may struggle to reliably track or block malicious users accessing via Tor. Geolocation Services: Applications relying on accurate location data may receive incorrect information. Access Control Systems: Region-restricted content may be improperly allowed or denied. Analytics: Web analytics tools may report inaccurate visitor information. Conclusion This issue appears to be related to how Cloudflare's edge network processes Tor connections on the server side, rather than a bug within the cloudflared client software. It suggests a need for further investigation into Cloudflare's handling of Tor traffic to ensure consistent and accurate header reporting.

Bookmark message Copy message Export

muhammadyasir-dev avatar Apr 17 '25 08:04 muhammadyasir-dev