Real IP using argo tunnel and Nginx Proxy Manager

Is there any way to get the real ip address instead of the Cloudflare ip?
I’m using a few applications that need that IP, and I haven’t figured out a way to get it yet.

The CF-Connecting-IP request header will contain the IP of the visitor. Just make sure to only allow requests originating from Cloudflare IPs.

EDIT: This is actually mainly applicable when using a regular setup instead of Cloudflare Tunnel, but I’d still advise you to ensure your web server is not exposed to the internet. The CF-Connecting-IP header can only be trusted if the request actually comes from Cloudflare.

I need the real IP in the log for analytical purposes.

With nginx and the ngx_http_realip_module, I catch the real IP just fine when connecting via a proxied Cloudflare connection.

123.456.789.123 - - [22/Apr/2022:18:02:33 +0900] "GET /api/v1/timelines/home HTTP/2.0"

HOWEVER, when the connection comes in via a cloudflared tunnel, and when using EXACTLY the same ngingx setup as above, the originating IP shows as 127.0.0.1 . Using the cloudflared tunnel, I can log the proper originating IP using a custom log and the $http_x_forwarded_for variable, but for the life of me I can’t make the log show the IP as the originating IP

127.0.0.1 - - [22/Apr/2022:17:34:51 +0900] "GET /api/v1/streaming/? HTTP/1.1" blah blah Safari/537.36" "123.456.789.123"

Any ideas how I can get the real ip when using the cloudflared tunnel?

NGINX has a real_ip_header directive that you include in your conf - i.e real_ip_header CF-Connecting-IP; - I’m not sure if there’s anything else to be configured.

Apparently I didn’t make myself clear. Real_ip works when using a proxied Cloudflare connection, BUT IT DOES NOT work using the cloudflared tunnel, at least as far as I am concerned.

set_real_ip_from dictates if nginx cares about the real_ip_header directive - if it isn’t working then I’d recommend looking at that.

212.xx.xx.xx - - [22/Apr/2022:09:47:14 +0000] "GET /favicon.ico HTTP/1.1" 404 153 "https://dimensional-framing-medicare-park.trycloudflare.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0" "212.xx.xx.xx"

My setup:

real_ip_header CF-Connecting-IP;

	set_real_ip_from 173.245.48.0/20;
	set_real_ip_from 103.21.244.0/22;
        etc
        etc.

Works fine with proxied Cloudflare connection. DOES NOT WORK with cloudflared tunnel.

As you can see in your logs, the originating IP is 127.0.0.1

127.0.0.1 != 173.245.48.0/20 and 127.0.0.1 != 103.21.244.0/22

It isn’t an issue with Cloudflare Tunnels, your configuration explicitly isn’t acknowledging the real_ip_header from 127.0.0.1 since your set_real_ip_from tells it not to.

If you want it to acknowledge the real_ip_header from 127.0.0.1, add in a set_real_ip_from directive that includes that.

1 Like

Crossed messages, same solution:

O.K., I think I found the solution. With a cloudflared (Argo) tunnel, the client IP is localhost 127.0.0.1.
So I added this to the list of trusted IPs:

set_real_ip_from 127.0.0.1;

After doing that, the log dutifully reflects the real IP of the client that is accessing the Nginx server via the cloudflared tunnel