I am seeing real client IP on my origin server whn the requests should be proxied. This means I can’t deny all but cloudflare IP addresses in my .htaccess.
What steps have you taken to resolve the issue?
There aren’t many to do - just add the DNS name and enable proxy - which I’ve done.
Origin server is hosted on cPanel and apache logs are showing real client IP addresses.
My intention was to add a .htaccess with a deny all and only allow Cloudflare IP’s, but as soon as I do that the entire site is returning 403.
What feature, service or problem is this related to?
Blocking all but Cloudflare proxy IPs in .htaccess is not a standard practice. Seeing client IPs is typically preferred. Blocking access is typically implemented at the firewall level. If the host also serves sites that require direct connections, using authenticated origin pulls is the most effective option. Using your own CA certificate is more secure than using the one generated by Cloudflare since it will allow connections from other certificates issued by the Cloudflare AOP CA.
Thanks @epic.network. However, I believe I may have set something up incorrectly? Is it normal to see the clients real IP address in my apache access logs? I am not running any modules to read other fields for the source IP address such as mod_remoteip or mod_cloudflare. And, going by this article - Restoring original visitor IPs | Cloudflare Support docs I should not be seeing the clients real IP unless I purposefully go looking for it.
Who set up the cPanel? Could someone have configured it to log the actual visitor IPs without your knowledge? Is it possible that cPanel includes that by default? I know HestiaCP includes such a configuration.
I setup the cPanel. However, I know it is not just the logging because if I block all IP’s via the .htaccess apart from Cloudflare addresses, I cannot connect.
It’s jut not working as it is described in the doco.