X-Forwarded-For incorrect IP address

  • My remote client public IP address is 174.17.x.x (redacted)
    This wordpress web site is behind a CDN, the IP address select by the IP Detection is 208.69.183.49, which is one of the CDN POP IP addresses.

    I see 100.64.0.12 in the X-Forwarded-For, this is a carrier IP assignment internal to the CDN systems.
    Tried the various IP Detection methods, no joy.

    From the /wp-admin/admin.php?page=WordfenceTools&subpage=diagnostics page:
    REMOTE_ADDR 10.110.19.84
    CF-Connecting-IP(not set)
    X-Real-IP(not set)
    X-Forwarded-For 174.17.x.x, 72.21.85.170, 100.64.0.12,?208.69.183.49, 10.110.23.227 (In Use)
    Trusted Proxies10.110.0.0/16, 100.64.0.0/16
    Trusted Proxy Preset(not set)

    No real problem to report here, everything is working just fine.
    This seems a bit odd, we’ve used WordFence behind other CDN and AWS load balancers, haven’t seen this behavior before. Thoughts?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @teemerson,

    Sometimes when the visitor IP isn’t being sent through to any of the methods Wordfence uses for detection, it might be appropriate to contact your host or server admin to see if they’re able to send it to “X-Forwarded-For”, “X-Real-IP”, etc. It may not affect the plugin’s ability to run on your site, but could be problematic if a legitimate block started to affect all visitors to the site as everybody might be detected as the same IP.

    If you need to allow any trusted proxies or use a trusted proxy preset for the site’s configuration to begin detecting visitor IPs correctly, scroll down a short distance to “How does Wordfence get IPs” and “Trusted Proxies and Trusted Proxy Preset” here to see if any of the methods help:?https://www.wordfence.com/help/dashboard/options/#general-wordfence-options

    Let us know how you get on,
    Peter.

    Thread Starter teemerson

    (@teemerson)

    Hi @wfpeter, thanks for having a look.

    I added a php script so we can look at the contents of the X-Forwarded-For HTTP header.

    <?php
    print_r ( apache_request_headers() ) ;

    https [X-Forwarded-For] => 174.17.x.x, 72.21.85.168, 100.64.0.14, 208.69.183.51, 10.110.23.227
    (174.17.x.x is my confirmed but obfuscated public IP address, the other IP addresses are Edgio/Layer0 and AWS)

    Using the WordFence X-Forwarded-For option, 208.69.183.51 is identified as the client IP address.

    Seeing the carrier IP block IP 100.64.0.14 in the list provided by X-Forwarded-For, I suspected it might somehow match logic in the plugin?

    I’ll have a look at the plugin source, got a real mystery here, new puzzle de’ jour.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.