Is there any way to get the real ip address instead of the Cloudflare ip?
I’m using a few applications that need that IP, and I haven’t figured out a way to get it yet.
The CF-Connecting-IP
request header will contain the IP of the visitor. Just make sure to only allow requests originating from Cloudflare IPs.
EDIT: This is actually mainly applicable when using a regular setup instead of Cloudflare Tunnel, but I’d still advise you to ensure your web server is not exposed to the internet. The CF-Connecting-IP
header can only be trusted if the request actually comes from Cloudflare.
I need the real IP in the log for analytical purposes.
With nginx and the ngx_http_realip_module, I catch the real IP just fine when connecting via a proxied Cloudflare connection.
123.456.789.123 - - [22/Apr/2022:18:02:33 +0900] "GET /api/v1/timelines/home HTTP/2.0"
HOWEVER, when the connection comes in via a cloudflared tunnel, and when using EXACTLY the same ngingx setup as above, the originating IP shows as 127.0.0.1 . Using the cloudflared tunnel, I can log the proper originating IP using a custom log and the $http_x_forwarded_for variable, but for the life of me I can’t make the log show the IP as the originating IP
127.0.0.1 - - [22/Apr/2022:17:34:51 +0900] "GET /api/v1/streaming/? HTTP/1.1" blah blah Safari/537.36" "123.456.789.123"
Any ideas how I can get the real ip when using the cloudflared tunnel?
NGINX has a real_ip_header
directive that you include in your conf - i.e real_ip_header CF-Connecting-IP;
- I’m not sure if there’s anything else to be configured.
Apparently I didn’t make myself clear. Real_ip works when using a proxied Cloudflare connection, BUT IT DOES NOT work using the cloudflared tunnel, at least as far as I am concerned.
set_real_ip_from
dictates if nginx
cares about the real_ip_header
directive - if it isn’t working then I’d recommend looking at that.
212.xx.xx.xx - - [22/Apr/2022:09:47:14 +0000] "GET /favicon.ico HTTP/1.1" 404 153 "https://dimensional-framing-medicare-park.trycloudflare.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0" "212.xx.xx.xx"
My setup:
real_ip_header CF-Connecting-IP;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
etc
etc.
Works fine with proxied Cloudflare connection. DOES NOT WORK with cloudflared tunnel.
As you can see in your logs, the originating IP is 127.0.0.1
127.0.0.1 != 173.245.48.0/20
and 127.0.0.1 != 103.21.244.0/22
It isn’t an issue with Cloudflare Tunnels, your configuration explicitly isn’t acknowledging the real_ip_header
from 127.0.0.1
since your set_real_ip_from
tells it not to.
If you want it to acknowledge the real_ip_header
from 127.0.0.1
, add in a set_real_ip_from
directive that includes that.
Crossed messages, same solution:
O.K., I think I found the solution. With a cloudflared (Argo) tunnel, the client IP is localhost 127.0.0.1.
So I added this to the list of trusted IPs:
set_real_ip_from 127.0.0.1;
After doing that, the log dutifully reflects the real IP of the client that is accessing the Nginx server via the cloudflared tunnel
This works for me by change nginx configuration
I’am using HestiaCP as hosting panel,
nano /etc/nginx/nginx.conf
add the following line
# Cloudflare Cloudflare dot com/ips
set_real_ip_from 192.168.1.123;
set_real_ip_from 127.0.0.1;