Hi, I have a static site hosted by render.com. Every HTTP request to /api/* it rewrites to the backend app. The backend app was hosted by render too. Getting the true client IP worked flawlessly using request-ip - npm. I cannot tell which exact header was used to determine the true client IP but it worked. See the package’s documentation for the list of supported headers. Now, I have migrated my backend app to a VPS using Coolify and thus Traefik. Detecting the true client IP has stopped working.
Here is my best guess what has happened:
- Before: Render used cloudflare to proxy /api calls to the backend app. So first, cloudflare added
cf-connecting-ip
andtrue-client-ip
(but nox-forwarded-for
). Render has for sure some kind of own reverse proxy but I guess it either a) didn’t add anx-forwarded-for
header or b) used a header that is less prioritized than the Cloudflare headers (maybex-real-ip
if it uses nginx?) - After: The Cloudflare setup stays the same and it still doesn’t add
x-forwarded-for
. Traefik as my new reverse proxy however begins a newx-forwarded-for
header - not with Cloudflare’s non-standard headers but the last known IP address… which is the Render’s AWS server in Frankfurt. And since my backend app now receives a request with a validx-forwarded-for
it uses it according to the documentation of the request-ip package (which I second becausex-forwarded-for
is de-facto standard)
My questions are:
- Does my theory make sense?
- If so, why did Render configure Cloudflare not to use the
x-forwarded-for
header? According to Cloudflare’s documentation, it should be active by default.
Thanks!
P.S.: I know I can still extract the client’s IP address by using cf-connecting-ip
. But I still think that not including an x-forwarded-for
header is a bug because this header is de-facto standard.