X-Forwarded-For contains Fastly CDN IPs instead of real client IPs?
tobias-gp
PROOP

2 months ago

It seems like the X-Forwarded-For and X-Real-Ip headers arriving at my service contain Fastly edge IPs instead of the actual client IP addresses. This broke our GeoIP-based access control (Germany-only filter) because the GeoIP database resolves Fastly IPs to the US. Everything was working correctly yesterday, client IPs were being forwarded properly.

Is anybody else experiencing this issue?

Logs:

Three different requests from two devices (desktop in Germany, iPhone on German mobile network) all show Fastly-owned IPs rather than real client IPs:

  • client_ip: 167.82.231.36 — Fastly IP range (167.82.0.0/17)
  • client_ip: 167.82.231.24 — Fastly IP range (same /24, different device)
  • client_ip: 140.248.75.140 — Fastly IP range (140.248.0.0/16)

The remote_ip values are Railway internal (100.64.0.x), which is expected. The Cdn-Loop header confirms Fastly Compute@Edge is in the request path:

Cdn-Loop: Fastly;wasm="9FXIKA0Ny0TQB2dZYmglrLBKOSwJx6RmkQ4PNCA2cIrUSElFj551TkZyfdkYueREuULCvrSqDOh2esXmv797ojDR88GRAA"

All requests hit the railway/europe-west4-drams3a edge.

Solved
pray1

7 Replies

Status changed to Awaiting Railway Response Railway about 2 months ago

rhermens
PRO

2 months ago

We've also had this issue, not for geolocation but for other reasons. Today again for a different service.... We eventually had to add Fastly as trusted proxy. Which seems unreasonable to me

adn-jg
PRO

2 months ago

Same here. @Railway please have a look at that asap. Our Customers cannot access our services anymore

pray3
brody
EMPLOYEE

2 months ago

Acknowledging this issue, we have raised it to our networking engineer.

Status changed to Awaiting User Response Railway about 2 months ago

cqbent
HOBBY

2 months ago

Please fix ASAP! This is also breaking our application as we need IP based access for it.

Status changed to Awaiting Railway Response Railway about 2 months ago

brody
EMPLOYEE

2 months ago

This is prioritized in our system.

Status changed to Awaiting User Response Railway about 2 months ago

brody
EMPLOYEE

2 months ago

Hey,

This has been fixed, no action is needed on your end.

We are sorry for introducing this regression and will be more diligent about changes to the behavior of headers going forward.

brody

Hey, This has been fixed, no action is needed on your end. We are sorry for introducing this regression and will be more diligent about changes to the behavior of headers going forward.

tobias-gp
PROOP

2 months ago

Thank you @brody!

smiley1

Status changed to Awaiting Railway Response Railway about 2 months ago

Status changed to Solved brody about 2 months ago

Welcome!

Sign in to your Railway account to join the conversation.

Login
Loading...