Missing x-forwarded-for header on /api rewrites to backend

Hi, I have a static site hosted by render.com. Every HTTP request to /api/* it rewrites to the backend app. The backend app was hosted by render too. Getting the true client IP worked flawlessly using request-ip - npm. I cannot tell which exact header was used to determine the true client IP but it worked. See the package’s documentation for the list of supported headers. Now, I have migrated my backend app to a VPS using Coolify and thus Traefik. Detecting the true client IP has stopped working.

Here is my best guess what has happened:

  • Before: Render used cloudflare to proxy /api calls to the backend app. So first, cloudflare added cf-connecting-ip and true-client-ip (but no x-forwarded-for). Render has for sure some kind of own reverse proxy but I guess it either a) didn’t add an x-forwarded-for header or b) used a header that is less prioritized than the Cloudflare headers (maybe x-real-ip if it uses nginx?)
  • After: The Cloudflare setup stays the same and it still doesn’t add x-forwarded-for. Traefik as my new reverse proxy however begins a new x-forwarded-for header - not with Cloudflare’s non-standard headers but the last known IP address… which is the Render’s AWS server in Frankfurt. And since my backend app now receives a request with a valid x-forwarded-for it uses it according to the documentation of the request-ip package (which I second because x-forwarded-for is de-facto standard)

My questions are:

  • Does my theory make sense?
  • If so, why did Render configure Cloudflare not to use the x-forwarded-for header? According to Cloudflare’s documentation, it should be active by default.

Thanks!

P.S.: I know I can still extract the client’s IP address by using cf-connecting-ip. But I still think that not including an x-forwarded-for header is a bug because this header is de-facto standard.

Hi there,

Any request hitting a Render service will include the x-forwarded-for header. If your static site is making the request directly to your backend then this request is coming directly from the browser and Render isn’t involved in the request chain. If you use a redirect/rewrite on your Render static site service to direct requests to your backend then the request should include the x-forwarded-for header.

You should check that Coolify/Traefik are not nuking these headers.

Regards,

Keith
Render Support, UTC+10 :australia: