V3 Backport (fix(wrangler): strip CF-Connecting-IP header from all outbound requests #7914) (#8681)

* Strip CF-Connecting-IP

* Create cyan-years-relate.md

* Address comments

* remove test

* re-add test

* fix tests

* fix miniflare.ts

* fix compat date

---------

Co-authored-by: Samuel Macleod <[email protected]>

Author: workers-devprod

.changeset/cyan-years-relate.md

@@ -0,0 +1,6 @@
+---
+"miniflare": patch
+"wrangler": patch
+---
+
+fix(miniflare): strip CF-Connecting-IP header from all outbound requests

packages/miniflare/src/plugins/core/index.ts

@@ -8,6 +8,7 @@ import { TextEncoder } from "util";
 import { bold } from "kleur/colors";
 import { MockAgent } from "undici";
 import SCRIPT_ENTRY from "worker:core/entry";
+import STRIP_CF_CONNECTING_IP from "worker:core/strip-cf-connecting-ip";
 import { z } from "zod";
 import { fetch } from "../../http";
 import {
@@ -160,6 +161,9 @@ const CoreOptionsSchemaInput = z.intersection(
 		 */
 		hasAssetsAndIsVitest: z.boolean().optional(),
 		unsafeEnableAssetsRpc: z.boolean().optional(),
+
+		// Strip the CF-Connecting-IP header from outbound fetches
+		stripCfConnectingIp: z.boolean().default(true),
 	})
 );
 export const CoreOptionsSchema = CoreOptionsSchemaInput.transform((value) => {
@@ -387,6 +391,27 @@ export function maybeWrappedModuleToWorkerName(
 	}
 }
 
+function getStripCfConnectingIpName(workerIndex: number) {
+	return `strip-cf-connecting-ip:${workerIndex}`;
+}
+
+function getGlobalOutbound(
+	workerIndex: number,
+	options: z.infer<typeof CORE_PLUGIN.options>
+) {
+	return options.outboundService === undefined
+		? undefined
+		: getCustomServiceDesignator(
+				/* referrer */ options.name,
+				workerIndex,
+				CustomServiceKind.KNOWN,
+				CUSTOM_SERVICE_KNOWN_OUTBOUND,
+				options.outboundService,
+				options.hasAssetsAndIsVitest,
+				options.unsafeEnableAssetsRpc
+			);
+}
+
 export const CORE_PLUGIN: Plugin<
 	typeof CoreOptionsSchema,
 	typeof CoreSharedOptionsSchema
@@ -686,18 +711,9 @@ export const CORE_PLUGIN: Plugin<
 							: options.unsafeEphemeralDurableObjects
 								? { inMemory: kVoid }
 								: { localDisk: DURABLE_OBJECTS_STORAGE_SERVICE_NAME },
-					globalOutbound:
-						options.outboundService === undefined
-							? undefined
-							: getCustomServiceDesignator(
-									/* referrer */ options.name,
-									workerIndex,
-									CustomServiceKind.KNOWN,
-									CUSTOM_SERVICE_KNOWN_OUTBOUND,
-									options.outboundService,
-									options.hasAssetsAndIsVitest,
-									options.unsafeEnableAssetsRpc
-								),
+					globalOutbound: options.stripCfConnectingIp
+						? { name: getStripCfConnectingIpName(workerIndex) }
+						: getGlobalOutbound(workerIndex, options),
 					cacheApiOutbound: { name: getCacheServiceName(workerIndex) },
 					moduleFallback:
 						options.unsafeUseModuleFallbackService &&
@@ -730,6 +746,22 @@ export const CORE_PLUGIN: Plugin<
 			if (maybeService !== undefined) services.push(maybeService);
 		}
 
+		if (options.stripCfConnectingIp) {
+			services.push({
+				name: getStripCfConnectingIpName(workerIndex),
+				worker: {
+					modules: [
+						{
+							name: "index.js",
+							esModule: STRIP_CF_CONNECTING_IP(),
+						},
+					],
+					compatibilityDate: "2025-01-01",
+					globalOutbound: getGlobalOutbound(workerIndex, options),
+				},
+			});
+		}
+
 		return { services, extensions };
 	},
 };

packages/miniflare/src/workers/core/strip-cf-connecting-ip.worker.ts

@@ -0,0 +1,7 @@
+export default {
+	fetch(request) {
+		const headers = new Headers(request.headers);
+		headers.delete("CF-Connecting-IP");
+		return fetch(request, { headers });
+	},
+} satisfies ExportedHandler;

packages/miniflare/test/index.spec.ts

@@ -2703,6 +2703,46 @@ test("Miniflare: CF-Connecting-IP is preserved when present", async (t) => {
 	t.deepEqual(await ip.text(), "128.0.0.1");
 });
 
+// regression test for https://github.com/cloudflare/workers-sdk/issues/7924
+test("Miniflare: strips CF-Connecting-IP", async (t) => {
+	const server = new Miniflare({
+		script:
+			"export default { fetch(request) { return new Response(request.headers.get(`CF-Connecting-IP`)) } }",
+		modules: true,
+	});
+	const url = await server.ready;
+
+	const client = new Miniflare({
+		script: `export default { fetch(request) { return fetch('${url.href}', {headers: {"CF-Connecting-IP":"fake-value"}}) } }`,
+		modules: true,
+	});
+	t.teardown(() => client.dispose());
+	t.teardown(() => server.dispose());
+
+	const landingPage = await client.dispatchFetch("http://example.com/");
+	// The CF-Connecting-IP header value of "fake-value" should be stripped by Miniflare, and should be replaced with a generic 127.0.0.1
+	t.notDeepEqual(await landingPage.text(), "fake-value");
+});
+test("Miniflare: does not strip CF-Connecting-IP when configured", async (t) => {
+	const server = new Miniflare({
+		script:
+			"export default { fetch(request) { return new Response(request.headers.get(`CF-Connecting-IP`)) } }",
+		modules: true,
+	});
+	const url = await server.ready;
+
+	const client = new Miniflare({
+		script: `export default { fetch(request) { return fetch('${url.href}', {headers: {"CF-Connecting-IP":"fake-value"}}) } }`,
+		modules: true,
+		stripCfConnectingIp: false,
+	});
+	t.teardown(() => client.dispose());
+	t.teardown(() => server.dispose());
+
+	const landingPage = await client.dispatchFetch("http://example.com/");
+	t.deepEqual(await landingPage.text(), "fake-value");
+});
+
 test("Miniflare: can use module fallback service", async (t) => {
 	const modulesRoot = "/";
 	const modules: Record<string, Omit<Worker_Module, "name">> = {

packages/miniflare/turbo.json

@@ -3,7 +3,6 @@
 	"extends": ["//"],
 	"tasks": {
 		"build": {
-			"inputs": ["src/**", "scripts/**", "types/**", "*.mjs", "*.js", "*.json"],
 			"outputs": ["dist/**", "bootstrap.js", "worker-metafiles/**"],
 			"env": ["CI_OS"]
 		},

packages/wrangler/src/api/startDevWorker/ProxyController.ts

@@ -94,6 +94,9 @@ export class ProxyController extends Controller<ProxyControllerEventMap> {
 							unsafePreventEviction: true,
 						},
 					},
+					// Miniflare will strip CF-Connecting-IP from outgoing fetches from a Worker (to fix https://github.com/cloudflare/workers-sdk/issues/7924)
+					// However, the proxy worker only makes outgoing requests to the user Worker Miniflare instance, which _should_ receive CF-Connecting-IP
+					stripCfConnectingIp: false,
 					serviceBindings: {
 						PROXY_CONTROLLER: async (req): Promise<Response> => {
 							const message =