Logging clients' real IPs when using CloudFlare + Nginx + Apache

[M373H]

I understand that cPanel doesn't support neither Nginx nor CloudFlare. It would be great if anyone has went through this before and have a solution or suggestion for this problem.

I have Nginx stands as a reverse proxy in front of Apache. I'm able to log clients' real IPs by using mod_rpaf module when using Nginx + Apache only without CloudFlare. I then decided to addCloudFlare to my server. Now CloudFlare IPs are showing instead of clients' IPs. I have the Nginx RealIP Module installed, I tried various configurations but didn't solve the problem. I then installed mod_cloudflare which is supposed to log real clients' IPs to Apache as described on CloudFlare, but that also didn't solve the problem.

First, The working configurations for Nginx + Apache only are as follows:

Nginx Configuration:

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
real_ip_header X-Client-IP;

mod_rpaf Configuration:

LoadModule rpaf_module /usr/local/apache/modules/mod_rpaf-2.0.so
<IfModule mod_rpaf-2.0.c>
RPAFenable On
RPAFproxy_ips 127.0.0.1 #Proxy IPs
RPAFsethostname On
RPAFheader X-Client-IP
</IfModule>

Until now clients' real IPs are shown correctly.

Second, using CloudFlare with Nginx + Apache:

Nginx Configuration:

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
real_ip_header CF-Connecting-IP;

mod_rpaf Configuration:

LoadModule rpaf_module /usr/local/apache/modules/mod_rpaf-2.0.so
<IfModule mod_rpaf-2.0.c>
RPAFenable On
RPAFproxy_ips 127.0.0.1 #Proxy IPs
RPAFsethostname On
RPAFheader CF-Connecting-IP
</IfModule>

So when using CloudFlare with the above configurations, the IPs being logged belong to CloudFlare despite the configurations made.

I tried the following combinations in Nginx and mod_rpaf configurations but there were no luck,

#Nginx
real_ip_header X-Client-IP;
real_ip_header X-Forwarded-For;
real_ip_header X-Real-IP;

#mod_rpaf
RPAFheader X-Client-IP
RPAFheader X-Forwarded-For
RPAFheader X-Real-IP

I've inserted real_ip_recursive on; in Nginx configuration. Also, inserted all CloudFlare IP ranges to the mod_rpaf configuration in a standalone try. However, all of that didn't solve the problem.

Any reply is greatly appreciated. Thank you

 

[cPanelMichael]

Hello,

I see that you have already tried most of the solutions in the following thread, but you may want to check it out again just in-case:

https://forums.cpanel.net/threads/information-about-x-forwarded-for.431271/

Thank you.

 

[M373H]

I need to modify the LogFormat in Apache in order to add the X-Forwarded-For header and log clients' real IPs. I attempted to edit that in httpd.conf file but I then found two separate parts for the LogFormat. So I'm not sure if they are duplicate, whether should I remove any of them or not, and I don't know which of them to edit, or should I edit them all. I need some advice for this.

Here is the first part:

<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

CustomLog "logs/access_log" common

<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

</IfModule>

The second part:

<IfModule mod_log_config.c>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access_log common

</IfModule>

I don't know what is the difference between first and second part. I can see two lines are duplicate in the two parts. So, which part should I edit? Is it safe to remove the duplicate lines from one part and keep the other? Can I combine non-duplicated lines in one part?

Thank you.

 

[M373H]

Hello,

I see that you have already tried most of the solutions in the following thread, but you may want to check it out again just in-case:

https://forums.cpanel.net/threads/information-about-x-forwarded-for.431271/

Thank you.

Thank you for your reply,

I attempted to modify the LogFormat in httpd.conf, but I found two separate parts of LogFormat that have a portion looks nearly duplicate. So, I'm not sure which to edit or should I remove the duplicate lines. I just opened a new thread for that. It would be great if you can share an advice regarding this.

Thank you

 

[cPanelMichael]

Could you try editing both entries in the httpd.conf file and then run the Apache distiller to see if the changes are preserved?

Thank you.

 

[M373H]

Could you try editing both entries in the httpd.conf file and then run the Apache distiller to see if the changes are preserved?

Thank you.

Thank you Michael

Last thing, I made some changes to the LogFormat in httpd.conf and switched to mod_remoteip instead of mod_rpaf. Now the IPs are reporting correctly in the following file: /usr/local/apache/logs/access_log However, it still reports CloudFlare IPs in the Latest Visitors stats for any cPanel account on server.

Here is the LogFormat after editing:

<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{CF-Connecting-IP}i" combined
LogFormat "%h %l %u %t \"%r\" %>s %b %{CF-Connecting-IP}i" common

CustomLog "logs/access_log" combined

<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{CF-Connecting-IP}i" combined
</IfModule>

</IfModule>

<IfModule mod_log_config.c>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{CF-Connecting-IP}i" combined
LogFormat "%h %l %u %t \"%r\" %>s %b %{CF-Connecting-IP}i" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access_log common
CustomLog logs/access_log combined

</IfModule>

Is there a log configuration file regarding the latest visitors stats? Do I need to modify the LogFormat somewhere else beside the httpd.conf file? Or is there anything missing in the above LogFormat?

Thank you.

 

[cPanelMichael]

Is there a log configuration file regarding the latest visitors stats?

This data comes from the Apache domlogs:

/usr/local/apache/domlogs/$username/

Have you verified that new data written to the domlogs are showing the CloudFlare IP address?

Thank you.