Unable to get clint real ip from nginx => traefik proxy => cloudflare proxy

I am running a frontend app that is being served by nginx and nginx is behind traefik which is then behind cloudflare

currently i have tried all i can to get the client real ip and not successful,

here is what i have for default.conf and nginx.conf

default.conf

server {
  listen 8080;

  real_ip_header CF-Connecting-IP;
  set_real_ip_from 0.0.0.0/0;

  location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
    try_files $uri $uri/ /index.html;
  }

  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   /usr/share/nginx/html;
  }
}

nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
    multi_accept on;
}


http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent"'

    access_log /var/log/nginx/access.log main;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 30;

    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    gzip_min_length 256;

    include /etc/nginx/conf.d/*.conf;
}

in the logs it still not showing me client real ip but showing the ip from the nat gateway entering into server where the server is setup, but i want the real ip of the original visitor

can someone point me to how to successful get this working?

I was able to get this working from another app that is not nginx running in same setup as the nginx and i got the client real ip fine with just the cloudflare header cf-connecting-ip but seems nginx is feeling so needy that it just cant seem to work

Is this the traefik server IP?

1 Like

the ip is from the ISP where the server traefik is running on is located, so probably the ISP ip before hitting the traefik NAT gateway

but all i know is same traefik, golang works fine and in traefik logs the cf-connecting-ip is using real ip but when it is react the frontend app then all of a sudden the cf-connecting-ip is not the client real ip

so not sure if cloudflare is refusing to use the client real ip when it detects it is frontend react app or something, all i know is the ips are not correct for the cf-connecting-ip when the app behind traefik is the react frontend app and it is correct when the app behind traefik is the golang backend app

please help :slight_smile: before all my hairs are gone

That isn’t how it works. Cloudflare will forward the headers, it doesn’t detect the type of application.

Is Traefik overriding or removing the header? It looks it might have some behavior related to that Use Cloudflare's Cf-Connecting-Ip header as X-Real-IP · Issue #8497 · traefik/traefik · GitHub

1 Like

I will look into the link you shared but the key is this

there is a golang app that is also behind traefik in the same docker network that works fine and when i look at the traefik logs for requests to the golang app, i see that cf-connecting-ip is setting the correct client ip BUT when it comes to the react app, the cf-connecting-ip in the traefik logs is not correct

so all things being equal without anything special traefik get sent correct client real ip with cf-connecting-ip header but sent wrong ip when it comes to the react app

now the react app has nginx to route the traffic so am not sure if there is issue there

but just read my comment above and you will see this is really weird

cloudflare is passing wrong ip when it comes to requests to react but correct one when it comes to the golang app, both behind the same traefik and nothing special setup for the golang app

This is where I think the issue is. If the header is reaching Traefik for the golang app then it is reaching Traefik so you know it is good coming from Cloudflare.

1 Like

that’s it from you regarding all that? lol

well like i said the ip sent to traefik is wrong for react app and correct for golang app

why and how can this happen? i have spent hours upon hours wondering how in the h3ll this is happening

pretty much there is ip sent for the cf-connecting-ip from cloudflare for the react app but it is wrong, and for the golang app it is correct

Do you have a minimal re-createable example? I could play around with it and try and debug