How to Obtain Real IP through Cloudflare - Nginx Reverse Proxy - Docker

Published by Rhein-Ruhr-Informatik on

Introduction

When using Cloudflare as a CDN and DDoS protection service, it acts as an intermediary between your website and its visitors. This means that by default, the IP address visible to your web server is the one belonging to Cloudflare, not the original visitor. This can create issues for logging, analytics, and security policies based on IP addresses. In this article, we will walk through the steps necessary to configure your Nginx server to properly log and use the real IP addresses of visitors when using Cloudflare, even within a Dockerized environment.

Understanding the Problem

When a visitor connects to your website through Cloudflare, the original IP address is masked by Cloudflare’s own IP. This helps in protecting your server from direct attacks, but it makes it difficult to identify the true visitor IP. To solve this issue, Cloudflare includes headers like X-Forwarded-For and CF-Connecting-IP , which contain the original IP of the client. Nginx, by default, does not use these headers, so additional configuration is needed.

Prerequisites

Before starting, ensure you have:

  1. On Nginx server installed with the ngx_http_realip_module module enabled. This module is necessary to correctly handle the real IP headers.
  2. A basic understanding of Nginx configuration and Docker.
  3. Access to your server’s configuration files.

Step 1: Configuring Nginx to Use Real IP Headers

To make Nginx recognize the real IP from the headers provided by Cloudflare, you need to modify the configuration. First, ensure that the ngx_http_realip_module module is installed. This module is usually included in most Nginx installations by default.

Next, create a file named Cloudflare in the /etc/nginx/ directory with the following content:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
...
real_ip_header CF-Verbindungs-IP;

This file lists all Cloudflare IP ranges and instructs Nginx to trust these IPs and use the CF-Connecting-IP header for the real IP. For future updates, it’s important to regularly check Cloudflare’s IP ranges, as they might change over time.

Step 2: Including the Cloudflare Configuration in Nginx

Edit the main Nginx configuration file, usually located at /etc/nginx/nginx.conf In the http {} section, include the newly created cloudflare configuration file:

http {
     include /etc/nginx/cloudflare;
     ...
}

This ensures that the real IP configuration is applied globally across all your server blocks.

Step 3: Logging Real IP Addresses

To include the original visitor IP in your logs, modify the log_format directive in your nginx.confto use the variables $http_cf_connecting_ip and $http_x_forwarded_for . For example:

log_format main '$remote_addr - $http_cf_connecting_ip [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';

This allows you to see both the Cloudflare IP and the original visitor IP in your logs.

Step 4: Applying the Changes

To apply the changes, test the Nginx configuration:

  • For CentOS/RHEL:

nginx -t

  • For Ubuntu:

service nginx restart

Step 5: Verifying the Configuration

Check your website and inspect the Nginx access and error logs (e.g., /var/log/nginx/access.log) to verify that the real visitor IPs are being logged correctly. This step is crucial to ensure that your configuration is working as expected.

Optional: Handling Real IP in a Dockerized Environment

If your web application runs inside a Docker container, you need to pass the real IP to the containerized application. Add the following line in your Nginx configuration, right after the fastcgi_pass directive:

fastcgi_param REMOTE_ADDR $http_x_real_ip;

This sets the $_SERVER['REMOTE_ADDR'] variable to the original IP in PHP-based applications.

Common Issues and Troubleshooting

  1. Incorrect IP in Logs: Double-check that the Cloudflare IP ranges are up-to-date and that the real_ip_header directive is correctly set.
  2. Nginx Configuration Errors: Use nginx -tto check for syntax errors in the configuration files before restarting Nginx.
  3. Docker Networking Issues: Ensure that Docker’s network mode allows for correct IP forwarding.

Conclusion

By following the steps outlined in this article, you can ensure that your Nginx server, even when running inside Docker, correctly logs and uses the original visitor IP addresses provided by Cloudflare. This is essential for accurate logging, security configurations, and analytics. With proper configuration, you can leverage the benefits of Cloudflare’s protection without sacrificing the visibility of real user data.

Categories: BlogCloudflareDockerNginx
Tags:

Related Posts

Blog Security Wordpress

How to Improve WordPress Security Before Release

WordPress is a popular CMS, making it an attractive target for attackers. Before releasing a website, security measures should be implemented to protect against vulnerabilities and hacker attacks. The main steps are outlined below. Read more…

Blog Linux

How to install SUSE SLES 15 SP6 in Hyper-V and install Ansible on it

Dieser Leitfaden beschreibt den Prozess der Installation von SUSE Linux Enterprise Server (SLES) 15 SP6 auf einer virtuellen Hyper-V-Maschine, gefolgt von der Installation von Ansible für Automatisierungstasks. Die Einrichtung umfasst die Konfiguration der virtuellen Maschine Read more…

Blog Linux Virtualization

Extend the default Ubuntu virtual disk in Hyper-V

Overview Bevor wir mit der Erweiterung beginnen, ist es wichtig zu verstehen, dass die Erweiterung einer virtuellen Festplatte in der Hyper-V-Umgebung eine Erhöhung ihrer zugewiesenen Kapazität bedeutet. Diese Aktion führt nicht automatisch zur Befüllung des Read more…

en_USEnglish
de_DEDeutsch en_USEnglish