[v0.20.13.1] Crippled Via header when using X-Forwarded-For/Via

[kekkc]

Hi all,

realized the following strange behavior since the latest version updates:
if X-Forwarded-For/Via IP range is used a wrong Via header is inserted. Instead of using the specified range a 1.1 is put in front of it, resulting in "Via: 1.1 93.192.98.94". This seems to result that all Cloudfare DDoS protected websites fail to load.

Although, I googled some references some years back where it was mentioned that Via is no longer used by webservers, while X-Forwarded-For is the de-facto standard. Generally liked it more when it was possible to select only one.

Was there any reason why this was changed?

Relevant settings

X-Forwarded-For/Via Custom = from 93.192.0.0 to 93.192.255.255

Context (Environment)

FF77.0.1

[sereneblue]

Hi @kekkc,

The 1.1 is used to specify the protocol used (in this case it's HTTP/1.1). More info can be found here. The reason why they're both together is because the desired functionality is to "spoof your IP via headers". Although X-Forwarded-For is generally the header that's used to determine the IP these days, some older servers may use Via. Can you link a few URLs that are giving you issues?

[kekkc]

Thx for the explanation for the protocol. One problematic example I found is: http://animedao.com/ , the DDoS check is always reloaded and started from the beginning.

BTW: didn't find my original source, but there's some info that Via is only used for debugging: https://stackoverflow.com/questions/15248785/the-difference-between-the-x-forwarded-for-header-and-the-via-header
Personally I'd prefer to use just X-Forwarded-For without sending a Via header.

[sereneblue]

@kekkc Thanks for the link. That's an interesting debug case.

EDIT: I was able to replicate this issue. If the Via header is causing the issue, I'll remove it.

[kekkc]

Thanks for chasing this. I sent you another example link using the same Cloudfare protection via your web contact form.

[sereneblue]

Thanks for chasing this. I sent you another example link using the same Cloudfare protection via your web contact form.

Removing the Via header doesn't seem to resolve the issue. I looked around a bit and found this page that details what Cloudflare does with the X-Forwarded-For header: it seems Cloudflare merges the client's true IP with the original X-Forwarded-For value so the final result that reaches the web server is something like X-Forwarded-For: X.X.X.X,Y.Y.Y.Y. This issue doesn't happen on all Cloudflare protected sites so there may be some more clues I can use to debug this. I'll do some more testing and will hopefully have some good news to share.

[sereneblue]

@kekkc

Disabling header IP spoofing for certain Cloudflare requests seems to resolve this issue. v0.20.14 will be released later today.

[kekkc]

It worked, many many thanks ;)

[kekkc]

Unfortunately it seems that Cloudflare changed it's implementation again.

Since the above test site is no longer working, I recognized it e.g. on the following site:
https://app.hubspot.com

Would be great if there would be a workaround.

BTW: wish you all happy holidays ;)

[sereneblue]

@kekkc Happy holidays to you as well! This issue isn't caused by the X-Forwarded-For/Via IP headers. Cloudflare does seem to have changed something recently and it seems it's caused by the user agent. There is an existing issue about it here.