Da quello che ho capito, è carino semplice :
X-Forwarded-For
X-Forwarded-For is a well-established HTTP header used by proxies,
including Cloudflare, to pass along other IP addresses in the request.
This is often the same as CF-Connecting-IP, but there may be multiple
layers of proxies in a request path.
Two possible outcomes.
First, if there was no existing "X-Forwarded-For" header in the
request sent to Cloudflare, then the header would have an identical
value to the CF-Connecting-IP header, like this:
"X-Forwarded-For: A.B.C.D"
where A.B.C.D is the client's IP address, also known as the original
visitor IP address.
Second, if there was an "X-Forwarded-For" header present in the
request sent to Cloudflare, Cloudflare appends the client's IP to its
value, as the last in the list.
"X-Forwarded-For: A.B.C.D[,X.X.X.X,Y.Y.Y.Y,]"
where A.B.C.D is the client's IP address, also known as the original
visitor IP address. X.X.X.X and Y.Y.Y.Y in this example are IP
addresses along the route in the header value.
quando non aggiungi l'intestazione X-Forwarded-For , CloudFlare lo aggiungerà implicitamente al reale indirizzo IP del visitatore.
Quando aggiungi manualmente quell'intestazione alla tua richiesta di un altro IP, l'IP verrà correttamente spoofato in condizione che l'opzione Forwarding-For sia consentita dal tuo server, e sarai un forwarder fidato . Per bloccare X-Forwarded-For puoi usare iptables o altro.
In alcuni casi, questa intestazione può essere rilevante per la sicurezza del sito web.
X-Forwarded-For HTTP header should not be used for any Access Control List (ACL) checks because it can be spoofed by attackers. Use the real IP address for this type of restrictions.