Skip to content

🐛Cloudflared Tunnel Inconsistent CF-Connecting-IP Headers with Tor #1452

Closed
Closed
🐛Cloudflared Tunnel Inconsistent CF-Connecting-IP Headers with Tor#1452
Labels
Priority: NormalMinor issue impacting one or more usersType: BugSomething isn't working
@tn3w

Description

@tn3w
tn3w
opened on Apr 16, 2025

Describe the bug
When using Cloudflare Tunnel with Tor, there's an inconsistency in how the CF-Connecting-IP and X-Forwarded-For headers are reported. On initial page loads with a new Tor circuit, the headers correctly show the actual Tor exit node IP address. However, when simply reloading the page using the same circuit, the headers change to display a Cloudflare data center IP address instead.

To Reproduce
Steps to reproduce the behavior:

  1. Set up a simple HTTP server that displays headers: 
    from http.server import HTTPServer, BaseHTTPRequestHandler

class HeadersHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type', 'text/plain')
        self.end_headers()

        cf_ip = self.headers.get("CF-Connecting-IP", "Not found")
        forwarded_for = self.headers.get("X-Forwarded-For", "Not found")

        response = f"CF-Connecting-IP: {cf_ip}\nX-Forwarded-For: {forwarded_for}"
        self.wfile.write(response.encode())

server = HTTPServer(('127.0.0.1', 8000), HeadersHandler)
print("Server started at http://127.0.0.1:8000")
server.serve_forever()
  2. Run the Python server and expose it with Cloudflare Tunnel: 
    python3 server.py
cloudflared tunnel --url 127.0.0.1:8000
  3. Open the official Tor Browser
  4. Navigate to your Cloudflare Tunnel URL
  5. Click the circuit icon to the left of the URL bar
  6. Select "New Tor Circuit for this site"
  7. Note the CF-Connecting-IP value (should be a legitimate Tor exit node IP)
  8. Click the reload button to refresh the page
  9. Note the CF-Connecting-IP now shows a Cloudflare data center IP (typically an IPv6 address like 2405:8100:8000:5ca1::aa:6487)

Tunnel ID: N/A (using trycloudflare.com domain)
cloudflared config: Using default configuration with cloudflared tunnel --url 127.0.0.1:8000

Expected behavior
The CF-Connecting-IP header should consistently display the actual Tor exit node IP address across page reloads using the same circuit.

Environment and versions

  • OS: Ubuntu 24.04.2 LTS
  • Architecture: x86_64
  • Version: cloudflared 2025.4.0 (latest as of 2025-04-16)

Logs and errors
Not applicable - the issue is with inconsistent header values rather than errors.

Additional context
Actual behavior: The CF-Connecting-IP header changes to a Cloudflare data center IP address on page reloads, even when using the same Tor circuit.

When checking the reported IPv6 address (e.g., 2405:8100:8000:5ca1::aa:6487) in IP lookup tools, it shows as belonging to Cloudflare, Inc. and is not a legitimate Tor exit node according to Tor ExoneraTor.

This inconsistency affects:

  1. Security tracking: Site owners cannot reliably track or block malicious Tor users
  2. Geolocation services: Applications depending on accurate location data receive incorrect information
  3. Access control systems: Region-restricted content may be incorrectly allowed or denied
  4. Analytics: Web analytics tools show inaccurate visitor information

Note: This issue might be related to how Cloudflare's edge network processes Tor connections on the server side rather than how the cloudflared software itself handles the connections. The behavior suggests this may be a Cloudflare service-level handling of Tor traffic rather than a bug in the cloudflared client software.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Priority: NormalMinor issue impacting one or more usersType: BugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions