Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚀 Feature Request: Make CF-Connecting-IP header available in dev mode locally #7588

Closed
godfat opened this issue Dec 18, 2024 · 2 comments · Fixed by #7702
Closed

🚀 Feature Request: Make CF-Connecting-IP header available in dev mode locally #7588

godfat opened this issue Dec 18, 2024 · 2 comments · Fixed by #7702
Labels
enhancement New feature or request

Comments

@godfat
Copy link

godfat commented Dec 18, 2024
edited
Loading

Problem statement

The application is behind a reverse proxy, and it cannot access the client IP. All the application sees is the IP from wrangler, because it doesn't add CF-Connecting-IP, nor does it append the client IP to X-Forwarded-For.

Feature request

  • Have header CF-Connecting-IP available. Or:
  • Append the client IP to X-Forwarded-For. Or:
  • Have a way to access the client IP, for example, it can be done via request.socket.remoteAddress

Background

We (GitLab) need a way to access the client IP when running wrangler for end-to-end tests. We do not want to deploy it to Cloudflare in order to run end-to-end tests.

This is needed for the end-to-end tests because the application which wrangler is talking to is behind another reverse proxy, and given this the application sees only the wrangler IP, not the actual client IP. This looks like this:

client <-> wrangler <-> (optional nginx) <-> workhorse <-> application

We want wrangler to append the client IP in X-Forwarded-For header and configure wrangler's IP as a trusted proxy, so that the application can find the real IP from X-Forwarded-For.

If CF-Connecting-IP is always available and can be trusted, then we can use that as well.

The main point is that we need to have a way to access the client IP, so that we can test features with regard to restricting IP. At the moment all IPs we can see are from wrangler itself, which means we cannot test this.

Workaround

We can potentially run another Nginx in front of wrangler to append the IP to X-Forwarded-For, like this:

client <-> nginx <-> wrangler <-> (optional nginx) <-> workhorse <-> application

But due to all the complexity involved with this, it would be nice to avoid needing to do this, just for accessing the client IP.

References
@godfat godfat added the enhancement New feature or request label Dec 18, 2024
@github-project-automation github-project-automation bot moved this to Untriaged in workers-sdk Dec 18, 2024
@penalosa penalosa mentioned this issue Jan 8, 2025
Merged
9 tasks
@penalosa
Copy link
Contributor

penalosa commented Jan 9, 2025

Once #7702 is merged, CF-Connecting-IP will be available on Linux and macOS. Once cloudflare/workerd#3310 is fixed in workerd, it should be available on Windows too—I'll close this issue once #7702 is merged, but feel free to comment on the workerd issue if Windows support is crucial.

@github-project-automation github-project-automation bot moved this from Untriaged to Done in workers-sdk Jan 9, 2025
@godfat
Copy link
Author

godfat commented Jan 9, 2025

Terrific! Thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
workers-sdk
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Inject CF-Connecting-IP from workerd clientIp cloudflare/workers-sdk
2 participants
@godfat @penalosa