I routed my domain traffic through Cloudflare, But Cloudflare still shows users IP at origin server

I routed my domain traffic through Cloudflare and as per my understanding the origin server will receive traffic from Cloudflare servers, but when I just put a single line PHP code on the remote (origin) server I can still get the IP of the users. I thought it’ll be masked. Is this a Cloudflare issue? And yeah my domain is completely masked by Cloudflare (reverse proxy) as if I check A record it shows Cloudflare IP.

Can someone help with this?


Sure, Cloudflare does provide the original IP address in the request header.

1 Like

Hi Sandro,

Thanks for the response.

Actually, that was my concern, I don’t want the origin server to see the user’s IP. Since I didn’t use any Cloudflare mods like mod_remoteip, mod_cloudflare the origin server shouldn’t be getting the user’s IP, right ?


If you don’t rewrite IP addresses they won’t be immediately obvious to your server, but they will still be part of the request header and you cannot disable that.

1 Like

Is there any options to mask that ? And I’m confused in that case why Cloudflare is providing the option “True-Client-IP Header”.

Another fact is, I didn’t even write a big chunk of code to get the IP. Just called the Remote Addr
$ipaddress = getenv(“REMOTE_ADDR”) ;

Thanks again for clearing the doubt.

As I wrote.

And if you were able to obtain the address in the mentioned way, something on your server is already rewriting addresses.

Hi Sandro,

Ok got your point.

But now I just tried with another Web Application firewall provider and it working fine over there. I can’t get the user’s IP, and all the time I get the firewall server IP. I used the same code and same server.


This header is used by some enterprise security solutions, and by other DDOS providers. It is provided to Enterprise customers to make migration to Cloudflare easier for some customers. It provides the exact same data as CF-Connecting-IP.


If you access the right header you’ll always be able to get the original address.


Just clearing a doubt as @michael mentioned, the option “True-Client-IP Header” is for enterprise customers. So do you think if I was using enterprise or a paid plan I might have to use “True-Client-IP Header” to get the real IP address ?.


That particular header is completely irrelevant, you’ll always get the proper client address in aforementioned header, regardless of which plan you have.

You said you don’t want that header and that was addressed earlier. Under an Enterprise plan that might be possible and you could contact sales, under all other plans you’ll have the address.

1 Like

The Client IP address is available via the CF-Commecting-IP header on all plans. The same data is available in the X-Forwarded-For header, but in a potentially more complicated form, again on all plans.

If you are an Enterprise customer, and you cannot use or don’t want to use the CF-Connecting-IP header, you can enable the True-Client-IP header. Other than the name, it is exactly the same as CF-Connecting-IP.

One use case is where you maintain two CDNs for backup, load balancing or other purposes. You can change between the two at will without needing to change any processing on the Origin.


Ok, I was confused with the option.

Thanks a lot for spending your time and clearing the doubts @michael and @sandro

You guys are awesome