Bookstack with CF-tunnel not able to get Real Visitor IP

Hi all I hope you are doing well. I have a question that probably a lot of you easily fixed, but I am stuck. I followed the mod_ip tutorial [restoring-visitor-ips] and not getting an error. Below you can find my config, and probably I am missing a minor detail, help is really appreciated.

/etc/apache2/sites-available/bookstack.conf

<VirtualHost *:80>
  ServerName 10.0.0.10

  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/bookstack/public/

  <Directory /var/www/bookstack/public/>
      Options -Indexes +FollowSymLinks
      AllowOverride None
      Require all granted
      <IfModule mod_rewrite.c>
          <IfModule mod_negotiation.c>
              Options -MultiViews -Indexes
          </IfModule>

          RewriteEngine On

          # Handle Authorization Header
          RewriteCond %{HTTP:Authorization} .
          RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

          # Redirect Trailing Slashes If Not A Folder...
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteCond %{REQUEST_URI} (.+)/$
          RewriteRule ^ %1 [L,R=301]

          # Handle Front Controller...
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteRule ^ index.php [L]
      </IfModule>
  </Directory>

  RemoteIPHeader CF-Connecting-IP
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

/etc/apache2/conf-available/remoteip.conf

RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/8
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22

relevant snippit of /etc/apache2/apache2.conf

# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
#
LogFormat "%v:%p %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

Which produces the follow result in the log file (/var/log/apache2/access.log) - the domainname has been changed to REDACTED:

127.0.0.1 - - [28/Dec/2023:07:29:03 +0000] "GET /manifest.json HTTP/1.1" 200 2328 "REDACTED/books/courses/page/test" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"

If someone can help me find the error, that would be appreciated.

Cheers,
Bart

You don’t need Cloudflare’s IPs in the config, as the tunnel is connecting to your website locally, from 127.0.0.1 as you can see.

You only need:

RemoteIPTrustedProxy 127.0.0.1

Hi Laudian,

Thank you for your prompt answer. It worked, and it makes sense not to add the full list.

Kind Regards,
Bart

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.