Is there any way to get the real ip address instead of the Cloudflare ip?
I’m using a few applications that need that IP, and I haven’t figured out a way to get it yet.
The CF-Connecting-IP request header will contain the IP of the visitor. Just make sure to only allow requests originating from Cloudflare IPs.
EDIT: This is actually mainly applicable when using a regular setup instead of Cloudflare Tunnel, but I’d still advise you to ensure your web server is not exposed to the internet. The CF-Connecting-IP header can only be trusted if the request actually comes from Cloudflare.
I need the real IP in the log for analytical purposes.
With nginx and the ngx_http_realip_module, I catch the real IP just fine when connecting via a proxied Cloudflare connection.
123.456.789.123 - - [22/Apr/2022:18:02:33 +0900] "GET /api/v1/timelines/home HTTP/2.0"
HOWEVER, when the connection comes in via a cloudflared tunnel, and when using EXACTLY the same ngingx setup as above, the originating IP shows as 127.0.0.1 . Using the cloudflared tunnel, I can log the proper originating IP using a custom log and the $http_x_forwarded_for variable, but for the life of me I can’t make the log show the IP as the originating IP
127.0.0.1 - - [22/Apr/2022:17:34:51 +0900] "GET /api/v1/streaming/? HTTP/1.1" blah blah Safari/537.36" "123.456.789.123"
Any ideas how I can get the real ip when using the cloudflared tunnel?
NGINX has a real_ip_header directive that you include in your conf - i.e real_ip_header CF-Connecting-IP; - I’m not sure if there’s anything else to be configured.
Apparently I didn’t make myself clear. Real_ip works when using a proxied Cloudflare connection, BUT IT DOES NOT work using the cloudflared tunnel, at least as far as I am concerned.
set_real_ip_from dictates if nginx cares about the real_ip_header directive - if it isn’t working then I’d recommend looking at that.
212.xx.xx.xx - - [22/Apr/2022:09:47:14 +0000] "GET /favicon.ico HTTP/1.1" 404 153 "https://dimensional-framing-medicare-park.trycloudflare.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0" "212.xx.xx.xx"
My setup:
real_ip_header CF-Connecting-IP;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
etc
etc.
Works fine with proxied Cloudflare connection. DOES NOT WORK with cloudflared tunnel.
As you can see in your logs, the originating IP is 127.0.0.1
127.0.0.1 != 173.245.48.0/20 and 127.0.0.1 != 103.21.244.0/22
It isn’t an issue with Cloudflare Tunnels, your configuration explicitly isn’t acknowledging the real_ip_header from 127.0.0.1 since your set_real_ip_from tells it not to.
If you want it to acknowledge the real_ip_header from 127.0.0.1, add in a set_real_ip_from directive that includes that.
1 Like
Crossed messages, same solution:
O.K., I think I found the solution. With a cloudflared (Argo) tunnel, the client IP is localhost 127.0.0.1.
So I added this to the list of trusted IPs:
set_real_ip_from 127.0.0.1;
After doing that, the log dutifully reflects the real IP of the client that is accessing the Nginx server via the cloudflared tunnel
1 Like
This works for me by change nginx configuration
I’am using HestiaCP as hosting panel,
nano /etc/nginx/nginx.conf
add the following line
# Cloudflare Cloudflare dot com/ips
set_real_ip_from 192.168.1.123;
set_real_ip_from 127.0.0.1;