Real IP using argo tunnel and Nginx Proxy Manager

Is there any way to get the real ip address instead of the Cloudflare ip?
I’m using a few applications that need that IP, and I haven’t figured out a way to get it yet.

The CF-Connecting-IP request header will contain the IP of the visitor. Just make sure to only allow requests originating from Cloudflare IPs.

EDIT: This is actually mainly applicable when using a regular setup instead of Cloudflare Tunnel, but I’d still advise you to ensure your web server is not exposed to the internet. The CF-Connecting-IP header can only be trusted if the request actually comes from Cloudflare.

I need the real IP in the log for analytical purposes.

With nginx and the ngx_http_realip_module, I catch the real IP just fine when connecting via a proxied Cloudflare connection.

123.456.789.123 - - [22/Apr/2022:18:02:33 +0900] "GET /api/v1/timelines/home HTTP/2.0"

HOWEVER, when the connection comes in via a cloudflared tunnel, and when using EXACTLY the same ngingx setup as above, the originating IP shows as . Using the cloudflared tunnel, I can log the proper originating IP using a custom log and the $http_x_forwarded_for variable, but for the life of me I can’t make the log show the IP as the originating IP - - [22/Apr/2022:17:34:51 +0900] "GET /api/v1/streaming/? HTTP/1.1" blah blah Safari/537.36" "123.456.789.123"

Any ideas how I can get the real ip when using the cloudflared tunnel?

NGINX has a real_ip_header directive that you include in your conf - i.e real_ip_header CF-Connecting-IP; - I’m not sure if there’s anything else to be configured.

Apparently I didn’t make myself clear. Real_ip works when using a proxied Cloudflare connection, BUT IT DOES NOT work using the cloudflared tunnel, at least as far as I am concerned.

set_real_ip_from dictates if nginx cares about the real_ip_header directive - if it isn’t working then I’d recommend looking at that.

212.xx.xx.xx - - [22/Apr/2022:09:47:14 +0000] "GET /favicon.ico HTTP/1.1" 404 153 "" "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0" "212.xx.xx.xx"

My setup:

real_ip_header CF-Connecting-IP;


Works fine with proxied Cloudflare connection. DOES NOT WORK with cloudflared tunnel.

As you can see in your logs, the originating IP is != and !=

It isn’t an issue with Cloudflare Tunnels, your configuration explicitly isn’t acknowledging the real_ip_header from since your set_real_ip_from tells it not to.

If you want it to acknowledge the real_ip_header from, add in a set_real_ip_from directive that includes that.

1 Like

Crossed messages, same solution:

O.K., I think I found the solution. With a cloudflared (Argo) tunnel, the client IP is localhost
So I added this to the list of trusted IPs:


After doing that, the log dutifully reflects the real IP of the client that is accessing the Nginx server via the cloudflared tunnel