Cloudflare cannot obtain user IP correctly

Website, Application, Performance DNS & Network
1

the reason:
I set up a wordpress blog, because cloudflare is slow in mainland China, so I bought a US CN2 vps as a blog proxy (using nginx, put it in front of cloudflare), and use dns smart analysis to resolve the traffic from mainland China to CN2 vps, which will be excluded The access from outside mainland China resolves to cloudflare. The problem we are encountering now is: China mainland visits blogs (CN2 vps), and cloudflare traffic statistics show that it is US IP access (the address is CN2 vps IP). I am worried about network attacks. I have searched many places on the Internet and tried many methods to pass the IP of users visiting from Mainland China to cloudflare.
Network link diagram:
If I want to use cloudflare as a firewall to prevent my blog from being attacked by the Internet, I need to pass the guest IP to cloudflare.
In Mainland China: ①Visitors (IP: 112.37.X.X)–>②CN2 VPS (IP: 104.224.X.X)–>③Cloudflare (getting the IP of ②, not the ip of ①)–>④Wordpress
Cloudflare is required to obtain the IP of ①.
In non-Mainland China: ⑪Visit -->⑫cloudflare–>⑬wordpress, you can get the visitor IP normally.
②Nginx configuration code:
server {
listen 80;
listen [::]:80;
server_name www.xxx.info;
return 301 https://$host$request_uri;
}

server {
     listen 443 ssl http2;
     listen [::]:443;

     server_name www.xxx.info;

     ssl_certificate /home/www/nginx/ssl/xxx.info/www.xxx.info.pem;
     ssl_certificate_key /home/www/nginx/ssl/xxx.info/www.xxx.info.key;

     client_max_body_size 5m;
     client_body_timeout 60;

     #real_ip_recursive on;
     #real_ip_header CF-Connecting-IP;
     #real_ip_header X-Forwarded-For;
     #set_real_ip_from 0.0.0.0/0;

     gzip on;
     gzip_types application/xml application/json text/css text/javascript application/javascript;
     gzip_vary on;
     gzip_comp_level 6;
     gzip_min_length 500;

     location / {
         proxy_pass https://104.26.11.153;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header REMOTE-HOST $remote_addr;
         proxy_http_version 1.1;

         proxy_ssl_name $host;
         proxy_ssl_server_name on;
     }
    location ~ .*\.(gif|jpg|png|css|js)(.*) {
         proxy_pass https://104.26.11.153;
         proxy_http_version 1.1;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_redirect off;
         proxy_set_header Host $host;
         proxy_cache cache_one;
         proxy_cache_valid 200 302 24h;
         proxy_cache_valid 301 30d;
         proxy_cache_valid any 5m;

         proxy_buffer_size 16k;
         proxy_buffers 4 32k;
         proxy_busy_buffers_size 96k;
         proxy_temp_file_write_size 96k;

         expires 90d;
         add_header wall  "xxx-CN2";

         proxy_ssl_name $host;
         proxy_ssl_server_name on;
    }
}
2

Have you already tried to edit your /etc/nginx/nginx.conf, inside http {...} and put:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header CF-Connecting-IP;
# real_ip_header X-Forwarded-For;

To get the visitor IP in your access or error log files on your Web server.

More here:
https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-logging-visitor-IP-addresses

More info here:
https://support.cloudflare.com/hc/en-us/articles/206776727-Understanding-the-True-Client-IP-Header

3

I’d considered the True Client IP, but that would require their upstream proxy to support it (AFAIK), plus that Enterprise Plan.

I think the bigger issue is the upstream proxy they put in front of Cloudflare. That makes it all a bit iffy with passing through client IP address. That might not be something Cloudflare would tolerate due to potential for abuse.

1 Like
4

Do you already use some WordPress plugin as the very lightweight and great BBQ Firewall (Pro for only 20$) or Wordfence just in case it does not work with Cloudflare Firewall rules (if on free plan)?

5

@fritex @sdayman Thank you for your replies. I want cloudflare to obtain the visitor IP correctly. It has nothing to do with the source site obtaining the visitor IP. I have tried the @fritex method, but it is useless.
When visiting from mainland China, cloudflare obtains the CN2 VPS IP instead of the visitor IP

6

Can you … hm … add the custom HTTP header which would catch and contain the visitor IP, and then display it and catch it on the other end?

I am afraid it would not work as well, because the request to the Cloudflare end would went by your VPS, and not from your visitor since it would be like “internet user → your VPS → Cloudflare”.
And your VPS would act as an VPN service, which would log IP addresses in it’s own access.log and the final request to the Cloudflare would always be your VPS’s static IP.

7

Can you rephrase this one a little bit more?

From my understanding, the setup with set_real_ip_from and real_ip_header CF-Connecting_IP of Cloudflare, you would be able to get the visitor IP on the VPS and there you can block them with Nginx rules.

Moreover, you are worried about network attacks?
Like what? DDoS? ICMP, ACK/SYN?
If that so, you would need to setup at least some kind of IDS or fail2ban and iptables. Also modify your sysctl.conf file.
The simple “ping” is happening just as you buy the VPS and it is already connected to an NIC internet. Somebody already is scanning your IP for ports or pinging along with the “sniffing” around the possible connections to your email service (if using it and open ports).

Also, Cloudflare rules, if setup, you can block a specific country or more of them, or allow only one and block all the other.
For the WordPress, would be good to go with “Medium” Firewall and also setup Firewall rules like to block all except from your country on /wp-login.php.
Nevertheless, block the /xmlrpc.php for all.
With it, using WordPress, as already stated you can use security plugins which tracks and block the malicious traffic regarding even if something bypasses the Cloudflare somehow.

What I do not understand, is do you want to track your traffic source location via Cloudflare dashboard and block them?
If your domain/website is pointed to Cloudflare, you would se all the traffic in Analytics, or mostly, requests that are challenged and/or blocked due to the Firewall setup on Cloudflare.

Or, do you have a setup like “internet user → my Wordpress website on some server → my VPS server → Cloudflare”?

  • if so, why don’t you host your Website on that VPS?

because cloudflare is slow in mainland China

If website is pointed to Cloudflare, first request from the user goes over the Internet → Cloudflare → your website (depending on the cache settings in Cloudflare dashboard, maybe it would not need to go to your origin again if the cached part is on Cloudflare, so the Cloudflare would return the cached stuff on it’s own Edge and would not go to your origin - but, if your origin is not working, then will display the upper bar with a notification for the end user)

WordPress also has a caching plugins like WP Super Cache or W3 Total Cache which can help you when you have 10k visitors (less or more) per day. Also in combination with Cloudflare, works great!

8

Are you using Nginx proxy manager or some other?

9

I need to identify and block attacked access links in Cloudflare Analytics. When I visit in mainland China, Cloudflare Analytics will display a US access IP.
When the visitor is in mainland China: Internet user → CN2 VSP (using nginx to reverse Cloudflare, this is the problem) → Cloudflare (Cloudflare Analytics shows the US IP, and the IP address is CN2 VSP) → My VPS server (wordpress),
When accessing outside mainland China: Internet users→Cloudflare→My VPS server (wordpress).

Cloudflare can display access information by adding /cdn-cgi/trace after the domain name, and https://www.xxx.info/cdn-cgi/trace, the following is the access in mainland China

CN2
CN21960×410 25.9 KB

When not using CN2 vps to reverse the generation, /cdn-cgi/trace shows my visitor IP,
kindle
kindle2000×420 26 KB

10

I want to go through CN2 vps to reverse cloudflare, /cdn-cgi/trace can still display the access IP (112.37.xx.xx)

11

You really need to work with Cloudflare on this. Because you’ve put a proxy in front of Cloudflare, that is not what Cloudflare is expecting.

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.

1 Like
12

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.