Restoring original visitor IP address in cloudflare is easily done by utilizing the header CF-Connecting-IP header.
Cloudflare being the fastest Free DNS provider and one of the most commonly used CDN(Content delivery network). Most of us use cloudflare as the primary dns provider instead of using the dns service provided by the domain registrar.
So when we use cloudflare as the primary dns provider and have the traffic served through cloudflare proxy it helps in masking the original ip address of the server, thereby hiding the original service provider.
This is a very useful feature provided by cloudflare DNS which is available even in the free plan where the cloudflare will protect your website and server from bots and only pass clean traffic to your servers.
On the down side cloudflare while passing the user traffic it also masks or proxies the original visitor ips and your apache server logs will only show the internal private ip addresses of cloudflare and not the original visitor ips.
This makes it very difficult when you analyse your server log files or sometimes we restrict admin access to only specific ip address (for example granting access to admin pages only to a specific range of ip address of your home or office). In this case, you will not be able to efficiently have access control based on ip addresses.
Mod_remoteip an apache module can be used along with cloudflare to restore visitor ip (original visitor ip) if you are using apache server it is very simple to configure it.
Steps to restore original visitor ip address in cloudflare:
There are two ways to restore original visitor ip address with cloudflare:
- Cloudflare restore visitor IP using Mod_cloudflare: As per the latest update cloudflare has stopped support for mod_cloudflare from the versions Debian 9 and Ubuntu 18.04 LTS. If you are still interested in installing mod_cloudflare you can compile and build the module from the source code which is available in git repository (https://github.com/cloudflare/mod_cloudflare).
- Cloudflare restore original visitor IP using mod_remoteip (Recommended): Cloudflare has now enhanced support for mod_remoteip apache module which can be installed and enabled to restore the original visitor ip address in apache server logs.
Below are the detailed steps to enable and configure apache module mod_remoteip to restore visitor ip address in cloudflare :
- In order to install or enable mod_remoteip on your apache web server on debian or Ubuntu run the below command on the terminal
sudo a2enmod remoteip
- Restart or reload your apache web server
sudo systemctl restart apache2
- Update the apache website or apache vhost config file by adding the header added by cloudflare each time the visitor ip is passed through cloudflare reverse proxy (RemoteIPHeader CF-Connecting-IP) as shown below
- Save the updated apache config file.
- Test your apache configuration for syntax by running the following command
sudo apache2ctl configtest
- You should get the response as Syntax OK
- Now you can proceed to restart your apache web server by running the below command
sudo systemctl restart apache2
- Now try accessing your website, you should be able to see the original visitor ip address logged in the apache logs
You can also check this apache documentation on mod_remoteip(https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html)