How can I see the real IP's hitting my local web site?

I have a local web site set up behind a Cloudflare tunnel, fronted by a Cloudflare provided DNS name. Surprise, surprise - I see from my web server’s logs that there are a number of probes and hacking attempts hitting it - but cannot tell where these are really coming from in my local logs since the client IP that is always logged is “: : 1” which I assume is the local host’s loopback IP. Does anyone know how I can log the actual IP addresses that are hitting my Cloudflare DNS name on the Internet in my local web server’s logs? I’d like to locally black-list IP’s that seem to be attacking on a frequent basis… Some of these probes and hack attempts are so simple that they’re pretty funny to see.

I haven’t seen anything on the Cloudflare dashboard that shows me this detailed information either. Thanks for any thoughts or suggestions!

Same as with the normal Proxy, Restore Visitor IPs from the CF-Connecting-IP Header: Restoring original visitor IPs · Cloudflare Support docs

It’s a good idea, if you can, to take advantage of Cloudflare’s WAF and other options to block the requests as well, since they can block the request even from reaching your service at all, basically infinite blocking capacity. You can manually craft Custom Rules to block specific paths/IPs/etc. You also have free unmetered rate limiting if the style of attack is just lots of random requests from a few IPs: Back in 2017 we gave you Unmetered DDoS Mitigation, here's a birthday gift: Unmetered Rate Limiting
On Pro or higher you have the WAF Managed Rulesets as well which do a good job of blocking obvious attack requests.
Mitigating an HTTP DDoS Attack manually with Cloudflare

Thanks! Everything you described works perfectly!

I activated a WAF rule to challenge any requests from outside my contentment, since these aren’t too important for my daughter’s local pet sitting business. (I made it a “managed challenge” instead of a total block in case one of her clients is actually overseas (as has happened) and needed the web site info to contact her). This should cut down tremendously on the number of probes and hacking attempts that are coming from all the “usual suspect” places.

I was also easily able to configure my local web server’s log to record the CF-Connecting_IP header, that displays what seems to be the client’s source IP address (as best it can be determined, since in my testing from my local network it seems to be getting aggregated to an IP my local network doesn’t have associated with it by my ISP. That’s o.k., much better than what I saw before)!

Also took the opportunity to tighten up my web server’s security settings too, turning off some fancy, advanced features that the “dirt simple” web site I have up just didn’t need.

I’ll keep an eye on it and make further adjustments if warranted. Thanks so much again for your quick response and most knowledgeable help!


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.