How to save clients' actual IPs when using CloudFlare + Nginx + Apache

advertisements

I've been stuck for days trying to solve this problem, I hope someone can help me with this.

I have Nginx stands as a reverse proxy in front of Apache. I'm able to log clients' real IPs by using mod_rpaf module when using Nginx + Apache only without CloudFlare. I then decided to add CloudFlare to my server. Now CloudFlare IPs are showing instead of clients' IPs. I have the Nginx RealIP Module installed, I tried various configurations but didn't solve the problem. I then installed mod_cloudflare which is supposed to log real clients' IPs to Apache as described on CloudFlare, but that also didn't solve the problem.

First, The working configurations for Nginx + Apache only are as follows:

Nginx Configuration:

proxy_set_header   X-Real-IP  $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
real_ip_header     X-Client-IP;

mod_rpaf Configuration:

LoadModule rpaf_module      /usr/local/apache/modules/mod_rpaf-2.0.so
<IfModule mod_rpaf-2.0.c>
    RPAFenable On
    RPAFproxy_ips 127.0.0.1 #Proxy IPs
    RPAFsethostname On
    RPAFheader X-Client-IP
</IfModule>

Until now clients' real IPs are shown correctly.

If anyone looking for logging real clients' IPs, you can use the above configurations.


Second, using CloudFlare with Nginx + Apache:

Nginx Configuration:

proxy_set_header   X-Real-IP  $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
set_real_ip_from   204.93.240.0/24;
set_real_ip_from   204.93.177.0/24;
set_real_ip_from   199.27.128.0/21;
set_real_ip_from   173.245.48.0/20;
set_real_ip_from   103.21.244.0/22;
set_real_ip_from   103.22.200.0/22;
set_real_ip_from   103.31.4.0/22;
set_real_ip_from   141.101.64.0/18;
set_real_ip_from   108.162.192.0/18;
set_real_ip_from   190.93.240.0/20;
set_real_ip_from   188.114.96.0/20;
set_real_ip_from   197.234.240.0/22;
set_real_ip_from   198.41.128.0/17;
set_real_ip_from   162.158.0.0/15;
set_real_ip_from   104.16.0.0/12;
set_real_ip_from   172.64.0.0/13;
set_real_ip_from   2400:cb00::/32;
set_real_ip_from   2606:4700::/32;
set_real_ip_from   2803:f800::/32;
set_real_ip_from   2405:b500::/32;
set_real_ip_from   2405:8100::/32;
real_ip_header     CF-Connecting-IP;

mod_rpaf Configuration:

LoadModule rpaf_module      /usr/local/apache/modules/mod_rpaf-2.0.so
<IfModule mod_rpaf-2.0.c>
    RPAFenable On
    RPAFproxy_ips 127.0.0.1 #Proxy IPs
    RPAFsethostname On
    RPAFheader CF-Connecting-IP
</IfModule>

So when using CloudFlare with the above configurations, the IPs being logged belong to CloudFlare despite the configurations made.

I tried the following combinations in Nginx and mod_rpaf configurations but there were no luck,

#Nginx
real_ip_header     X-Client-IP;
real_ip_header     X-Forwarded-For;
real_ip_header     X-Real-IP;

#mod_rpaf
RPAFheader X-Client-IP
RPAFheader X-Forwarded-For
RPAFheader X-Real-IP

I've inserted real_ip_recursive on; in Nginx configuration. Also, inserted all CloudFlare IP ranges to the mod_rpaf configuration in a standalone try. However, all of that didn't solve the problem.

Any answer or comment is greatly appreciated. Thank you.


I would advise you use the HTTP_CF_CONNECTING_IP header instead of the X-Forwarded headers.

This is because if there are multiple layers of forwarding, the X-Forwarded headers can be overwritten to a different IP of the layer before it, instead of the actual client IP.