Cloudflare Restore Visitor IP in 3 Steps with mod_remoteip

Cloudflare restore visitor IP address of the end user in all the server logs by utilizing the header CF-Connecting-IP header.

Cloudflare being the fastest Free DNS provider with presence in more than 100 countries and one of the most commonly used CDN(Content delivery network). Most of us use Cloudflare as the primary dns provider or authortative DNS in place of the default DNS service provided by the domain registrar.

So when we use cloudflare as the primary dns provider and have the traffic served through cloudflare proxy it helps in masking the original ip address of the server, thereby hiding the original service provider.

This is a very useful feature provided by cloudflare DNS which is available even in the free plan where the cloudflare will protect your website and server from bots and only pass clean traffic to your servers.

On the down side cloudflare while passing the user traffic it also masks or proxies the original visitor ips and your Apache server logs will only show the internal private IP addresses of cloudflare and not the original visitor ips. It will look something similar to the image shown below:

cloudflare internal ip address logged in apache

Here the IP addresses highlighted in red are all private internal ip address of cloudflare and not the public ip address of the end user.

This makes it very difficult when you analyse your server log files or sometimes we restrict admin access to only specific ip address (for example granting access to admin pages only to a specific range of ip address of your home or office). In this case, you will not be able to efficiently have access control based on ip addresses using the Apache directive Require all denied or Require ip 1.1.1.1

Mod_remoteip an apache module can be used along with cloudflare to restore the original visitor ip in the apache access and error logs if you are using apache server it is very simple to configure it.

There are two ways of getting the original visitor ip addresses to be logged in apache logs files instead of cloudflare internal ip address:

Cloudflare restore visitor IP using Mod_cloudflare

As per the latest update cloudflare has stopped support for mod_cloudflare from the versions Debian 9 and Ubuntu 18.04 LTS. If you are still interested in installing mod_cloudflare you can compile and build the module from the source code which is available in git repository (https://github.com/cloudflare/mod_cloudflare).

Cloudflare restore visitor IP using mod_remoteip (Recommended):

Cloudflare has now enhanced support for mod_remoteip apache module which can be installed and enabled to restore the original visitor ip address in apache server logs.

Below are the detailed steps to enable and configure apache module mod_remoteip to restore visitor ip address in cloudflare :

Installing mod_remoteip cloudflare on ubuntu 18.04/20.04

  • In order to install or enable mod_remoteip cloudflare on your Apache web server on Debian or Ubuntu run the below command on the terminal
sudo a2enmod remoteip
  • Restart or reload your Apache web server
sudo systemctl restart apache2
  • Update the Apache website config file or Apache virtual host configuration file (vhost config) by adding the header added by cloudflare each time the visitor ip is passed through cloudflare reverse proxy (RemoteIPHeader CF-Connecting-IP) as shown below
<Virtualhost *:443>
ServerAdmin admin@example.com
DocumentRoot /var/www/public_html
ServerName www.example.com
RemoteIPHeader CF-Connecting-IP
ErrorLog ${APACHE_LOG_DIR}/example_site_error.log
</Virtualhost>
  • Once your config file is updated, save the updated Apache config file.
  • Test your Apache configuration for syntax by running the following command
sudo apache2ctl configtest
  • You should get the response as Syntax OK
  • Now you can proceed to restart your Apache web server by running the below command
sudo systemctl restart apache2
  • Now try accessing your website, you should be able to see the original visitor IP address logged in the Apache access and error logs.

You can also check this Apache documentation on mod_remoteip(https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html)