request.remote_ip changing?

Question

I have a Rails app hosted in Heroku + CloudFlare. The problem is that the ip reported by request.remote_ip changes every now and then, even though my public ip stays the same.

Could it be Heroku, CloudFlare, or both?

Answer 1

You have to use the x-forwarded-for header, both Heroku and CloudFlare should set this. Docs:

• CloudFlare
• Heroku

Answer 2

When Cloudflare is operating as a reverse proxy, it sets this http header: CF-Connecting-IP and also appends the client's IP to the X-Forwarded-For header.

From: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-CloudFlare-handle-HTTP-Request-headers-

Note that using/relying on x-forwarded-for is not a good idea as it can be spoofed very easily. However, the last value in the x-forwarded-for should be the IP that clpoudflare sticks in there. I'm assuming you are using cloudflare as a reverse proxy here and that cloudflare sends the http request direct from its server to your origin server.

I had a conversation with Cloudflare. They guarantee the CF-Connecting-IP header is set by them when the request (to your origin server) comes from one of their proxy servers (which is the what Cloudflare is for). I believe the actual value they put into this header comes from the TCP packet from the original requestor. So this is the most accurate way to get the requestor's IP when using cloudflare (whether with Heroku as the origin server or not).

Cloudflares proxy servers' IP values can be found here: https://www.cloudflare.com/ips

To be more clear (from Cloudflare): The value comes from the address users connect to us on, as it is a TCP handshake on our front end spoofing would be a challenge. That said, it is reasonably spoof-able if someone connected directly to your origin and just inserted the header on their own (not hashed or encrypted).