Apache log not showing real client IP instead of cloudflare IP

[frog9394]

Dear All,

I have find this guide. https://docs.directadmin.com/webservices/apache/general.html#mod-remoteip. But I can't find the file /etc/httpd/conf/extra/httpd-cloudflare.conf. I have 3 directadmin boxes and they all don't have this file. Is there anything I need to do in the custombuild or something like that to enable this features? Or I just download this file and put in it /etc/httpd/conf/extra will work? If so, where can I download the file?

Best Regards,
Frog.

 

[Zhenyapan]

maybe you have old apache or not updated DA?
I have this file in apache 2.4.+

 

[frog9394]

Hi Zhenyapan,

I update our server monthly. I am using apache 2.4.53 right now.

Latest version of Apache: 2.4.54
Installed version of Apache: 2.4.53

Apache 2.4.53 to 2.4.54 update is available.

Also. I just download the file httpd-cloudflare.conf from files.directadmin.com and place it into /etc/httpd/extra folder and it still not work.

 

[Zhenyapan]

it must be included in httpd.conf

 

[frog9394]

View attachment 5668
it must be included in httpd.conf

Thanks a lot for your help! It's working now. I think it was default existed in apache config but it's not. Have a nice day.

 

[frog9394]

Show client real IP in apache log has solved. But it leads to another problem. I have .htaccess in my website and only allow cloudflare IP to access our website only. Content as below.
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22

It was working flawlessly before. After include httpd-cloudfare.conf in the httpd.conf. I think apache has compare client real ip with this list. So, apache has sent 403 since the IP is not in the allow list. In the meantime. I can only comment out these lines to let it work. Utimately, I don't want any IP other than cloudflare request to our website directly to increase security. Anyone has a thought? Thanks!

 

[Zhenyapan]

while traffic comes from Cloudflare IPs just with additional mark of remote-ip - you can configure CSF to pass only cloudflare IPs to webserver ports (80/443 etc.) - but it's for whole server.

 

[jamgames2]

if you proxy from cloudflare. it aways will come from cloudflare, why do you still need whilelist ?

"mod_remoteip", all IP that come from cloudflare will change into Visitor IPs.

print_r($_SERVER);

it don't have any proxy_ip that come from cloudflare. it away be Visitor IPs.



I don't know how apache work with real_ip header
for anyone use nginx ( this can still use real_ip header )

/etc/nginx/nginx-include.conf

geo $realip_remote_addr $cloudflare_ip {
    default          0;
    103.21.244.0/22  1;
    103.22.200.0/22  1;
    103.31.4.0/22    1;
    104.16.0.0/12    1;
    108.162.192.0/18 1;
    131.0.72.0/22    1;
    141.101.64.0/18  1;
    162.158.0.0/15   1;
    172.64.0.0/13    1;
    173.245.48.0/20  1;
    188.114.96.0/20  1;
    190.93.240.0/20  1;
    197.234.240.0/22 1;
    198.41.128.0/17  1;
    199.27.128.0/21  1;
    2400:cb00::/32   1;
    2405:8100::/32   1;
    2405:b500::/32   1;
    2606:4700::/32   1;
    2803:f800::/32   1;
    2c0f:f248::/32   1;
    2a06:98c0::/29   1;
}

>>> Custom Nginx per Domains [CUSTOM2]

if ($cloudflare_ip != 1) {
    return 403;
}

 

[frog9394]

So, I think it can only done at firewall level. I can't because It has multiple websites on this server and some are directly connected from client's IP. So I needed in application level (apache). Anyway, Thanks for your help. I am researching on the directive RemoteIPProxyProtocol On to see if this can fulfill part of my needs but bad bot may forge the header. At least it has a little bit help.

 

[frog9394]

if you proxy from cloudflare. it aways will come from cloudflare, why do you still need whilelist ?

"mod_remoteip", all IP that come from cloudflare will change into Visitor IPs.

print_r($_SERVER);

it don't have any proxy_ip that come from cloudflare. it away be Visitor IPs.

Because you need to prevent some bad bots or hacker to directly access your server by forging the HOST: or initialize some attacks etc. Make sure all traffic "washed" by cloudflare before going to your server.