NGINX LB cloudflare REAL IP

i create Nginx LB to my k8s cluster.

i’m trying to forward the real ip to nginx-ingress.

but no matter what i do. i still see the Cloudflare ip on “proxy.log” and also on Nginx-ingress.

here is my full nginx.conf file

# https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_buffer_size
user  www-data;
worker_processes auto;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
worker_rlimit_nofile 100000;

load_module modules/ngx_stream_module.so;

events {
    worker_connections  10224;
}

http {
    # Cloudflare Real IP Nginx
    set_real_ip_from   103.21.244.0/22;
    set_real_ip_from   103.22.200.0/22;
    set_real_ip_from   103.31.4.0/22;
    set_real_ip_from   104.16.0.0/12;
    set_real_ip_from   108.162.192.0/18;
    set_real_ip_from   131.0.72.0/22;
    set_real_ip_from   141.101.64.0/18;
    set_real_ip_from   162.158.0.0/15;
    set_real_ip_from   172.64.0.0/13;
    set_real_ip_from   173.245.48.0/20;
    set_real_ip_from   188.114.96.0/20;
    set_real_ip_from   190.93.240.0/20;
    set_real_ip_from   197.234.240.0/22;
    set_real_ip_from   198.41.128.0/17;
    set_real_ip_from   104.24.0.0/14;
    set_real_ip_from   2400:cb00::/32;
    set_real_ip_from   2606:4700::/32;
    set_real_ip_from   2803:f800::/32;
    set_real_ip_from   2405:b500::/32;
    set_real_ip_from   2405:8100::/32;
    set_real_ip_from   2c0f:f248::/32;
    set_real_ip_from   2a06:98c0::/29;
    real_ip_header     CF-Connecting-IP;
    
    server_tokens off;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
}

stream {

    log_format proxy '$remote_addr [$time_local] '
        '$protocol $status $bytes_sent $bytes_received '
        '$session_time "$upstream_addr" '
        '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    upstream nodes-http {
        server 192.168.10.2:80 max_fails=3 fail_timeout=10s;
        server 192.168.10.3:80 max_fails=3 fail_timeout=10s;
        server 192.168.10.4:80 max_fails=3 fail_timeout=10s;
    }

    upstream nodes-https {
        server 192.168.10.2:443 max_fails=3 fail_timeout=10s;
        server 192.168.10.3:443 max_fails=3 fail_timeout=10s;
        server 192.168.10.4:443 max_fails=3 fail_timeout=10s;
    }

    access_log /var/log/nginx/proxy.log proxy;
    error_log  /var/log/nginx/proxy.error;

    server {
        listen EXTERNAL_IP:80;
        proxy_protocol on;
        proxy_pass nodes-http;
        proxy_next_upstream on;
    }

    server {
        listen EXTERNAL_IP:443 ssl;

        proxy_ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        proxy_ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_protocol on;
        proxy_ssl on;
        proxy_ssl_server_name on;
        proxy_pass nodes-https;
        proxy_next_upstream on;
    }
}

the old config that works perfect:

The following old style works perfect

user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;

events {
    worker_connections 2048;
}

http {
    # CLOUDFLARE
    real_ip_header X-Forwarded-For;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/13;
    set_real_ip_from 104.24.0.0/14;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2c0f:f248::/32;
    set_real_ip_from 2a06:98c0::/29;

    # LOG FORMAT
    log_format access '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';

    upstream nodes {
        least_conn;
        server 192.168.10.2:443;
        server 192.168.10.3:443;
        server 192.168.10.4:443;
    }

    server {
        listen EXTERNAL_IP:80;
        listen EXTERNAL_IP:443 ssl;

        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

        location / {
            proxy_pass https://nodes;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header  Host $host;
            proxy_set_header  X-Forwarded-For $remote_addr;
            proxy_set_header  X-Forwarded-Host $remote_addr;
            proxy_set_header CF-Connecting-IP $remote_addr;
        }

        access_log /var/log/nginx/access.log access;
    }
}

The header you want is CF-Connecting-IP. This post has a nginx config in it that uses it…

I DID “real_ip_header CF-Connecting-IP;”

still not help

(Missed where you’d used the header it as it was at the bottom of the list)

This IP block is missing from your list… 104.24.0.0/14

https://www.cloudflare.com/ips-v4/

I added the missing CIDR, but nothing…

I update my config.