Apache webserver behind Apache reverse proxy, restore visitor's ip remote ip

I have a website on an apache webserver, behind another apache instance acting as reverse proxy.
Following this guide https://devanswers.co/get-real-client-ip-address-cloudflare-apache-php/
I am able to restore the original visitor’s IP address using a normal cloudflare<----->apache setup, However I can’t find any guide on how to do it on a cloudflare<----->apache_rp<----->apache_ws setup.
Should I proceed the same way and add the same headers on both apache instances?

I would hope that apache_rp wouldn’t strip out any headers such as cf-connecting-ip as it passes the request through to the origin server. Just as it shouldn’t strip out the various other headers in the browser’s request.

Yes but how do I achieve that in the config files?

The article you linked to pretty much covers it, but here’s Cloudflare’s version:

Yes that article explains how to do it for a simple apache config, what I don’t know how to do is how to pass that ip address from cloudlflare to the apache reverse proxy and finally to the actual apache instance behind the reverse proxy

Aside from what I said in my original reply, I would expect that installing mod_remoteip in the actual apache instance will work.

So it basically means that I need to follow the guide and apply exactly the same settings for both the reverse proxy and the webserver?

just a bump

Another bump

It depends on where you want to observe the real IP. On both servers, you can only know the actual client IP by inspecting a header. Provided nothing can connect to the proxy except Cloudflare, and nothing can connect to the web server except the reverse proxy, then you can trust that the CF-Connecting-IP is valid. If you have an application running on the web server, that would be the first place to install and configure mod_remoteip. If you also want to have the logs on the RP contain the client IP, then you need to do it there.

1 Like

At one point the help section of the website says this feature is only available on the Enterprise plan and must be enabled there.

I am confused now if the article in question is applicable to all plans.

If not, as a pro plan user, how can I see the original IP addresses. We had some ip restricted assets which obviously after the switch to cloudflare stopped working as the IP hitting those is different.

Appreciate the guidance on this one.

Not sure what article you are referring to. CF-Connecting-IP is available on all plans, and my memory says it always was. There is a True-Client-IP that does the same thing but is restricted to Enterprise plans. The help article linked to two at the start of this thread is the solution.

1 Like

Thanks Michael,

I was confused about having the same feature free and not free at the same time basically.

I will setup remoteip as per the directions tomorrow then.

Thank you.

Thanks, it’s more clear now, as I understand it the CF header with the actual user’s IP address is passed to the internal server and through the reverse proxy regardless of the configuration of the reverse proxy, this means that if I want to make the internal webserver aware of that IP address it’s enough to follow the guide that I previously linked to, on the internal server only. Is this correct?

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.