Learn about Centmin Mod LEMP Stack today
Register Now

Cloudflare Getting Real IP From Behind Two Proxies

Discussion in 'System Administration' started by BamaStangGuy, Oct 17, 2019.

  1. BamaStangGuy

    BamaStangGuy Active Member

    609
    179
    43
    May 25, 2014
    Ratings:
    +245
    Local Time:
    5:23 PM
    I currently have the following setup:

    Client > CloudFlare > Ezoic > Orgin Server

    The problem is that now the real ip address of the user is not shown in nginx logs. How can I keep the real ipand forward it to my orgin server?

    I have a list of all exoic ip address ranges. I currently have cloudflare.conf uncommented.
     
    Last edited: Oct 17, 2019
  2. pamamolf

    pamamolf Premium Member Premium Member

    3,585
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    1:23 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Do you mean Ezoic?
     
  3. eva2000

    eva2000 Administrator Staff Member

    42,386
    9,571
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,751
    Local Time:
    9:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    X-FORWARD-FOR not working for you Using the X-Forwarded-For (XFF) Header ? who's IP address are you seeing in your nginx logs ? cloudflare or ezoics ?

    Centmin Mod official Getting Started Guide step 5 outlines how to remedy this already as ezoic is like cloudflare in both they are proxies, so you need to setup X-FORWARD-FOR at nginx level as outlined at Nginx Cloudflare & Incapsula (reverse proxy HttpRealIpModule) - CentminMod.com LEMP Nginx web stack for CentOS which has examples for Cloudflare and Incapsula which is close to ezoic for the setup of set_real_ip_from and real_ip_header X-Forwarded-For directives.
     
  4. BamaStangGuy

    BamaStangGuy Active Member

    609
    179
    43
    May 25, 2014
    Ratings:
    +245
    Local Time:
    5:23 PM
    What am I missing then? I have uncommented the cloudflare.conf file and it includes:

    Code:
    include /usr/local/nginx/conf/cloudflare_customips.conf;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2a06:98c0::/29;
    set_real_ip_from 2c0f:f248::/32;
    real_ip_header CF-Connecting-IP;
    and then I added the following line below the cloudflare.conf include in nginx.conf
    include /usr/local/nginx/conf/cloudflare.conf;
    include /usr/local/nginx/conf/ezoic.conf;

    which exoic.conf includes:
    Code:
    <more ips>
    set_real_ip_from 34.218.119.32/27;
    set_real_ip_from 34.245.205.0/27;
    set_real_ip_from 34.245.205.64/27;
    set_real_ip_from 35.172.155.192/27;
    set_real_ip_from 35.172.155.96/27;
    real_ip_header X-Forwarded-For;
    
    Which produces errors about duplicate real_ip_header
     
  5. BamaStangGuy

    BamaStangGuy Active Member

    609
    179
    43
    May 25, 2014
    Ratings:
    +245
    Local Time:
    5:23 PM
    Same thing happens if I just use cloudflare.conf with incapsula.conf
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,585
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    1:23 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    To correct this, all you have to do is implement an XFF header.

    Using the X-Forwarded-For (XFF) Header

    Not sure about the exact edits needed for Centminmod ...

    I would like also to have some specific edits for that...
     
    Last edited: Oct 17, 2019
  7. eva2000

    eva2000 Administrator Staff Member

    42,386
    9,571
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,751
    Local Time:
    9:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you can't use cloudflare real ip setup if ezoic is in front of your server, you need ezoic setup if it's in front of your server
     
  8. BamaStangGuy

    BamaStangGuy Active Member

    609
    179
    43
    May 25, 2014
    Ratings:
    +245
    Local Time:
    5:23 PM
    The client IP address isn't transferred from CloudFlare to Ezoic. That is the issue.
     
  9. pamamolf

    pamamolf Premium Member Premium Member

    3,585
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    1:23 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    I have the same setup also....

    Using Cloudflare and the Cloudflare app of Ezoic ...

    George if you want to check it is easy.

    Just use Cloudflare and enable from there at the apps the Ezoic app...
     
    • Like Like x 1
  10. ndha

    ndha Member

    78
    9
    8
    Sep 28, 2014
    Ratings:
    +27
    Local Time:
    6:23 AM
    Latest
    10
    In my setup for 2 proxies using CF Nameservers, i use like this:
    First Proxy is DDOS Protected IP/ DMCA Ignore IP
    Second is Cloudflare
    Third is main IP.

    in First, i use proxy.conf and cloudflare.conf
    Second, i use the First ip ex: proxy.conf and protectedip.conf

    So, i put the First ip in CF A Record.

    It can be use too with Incapsula > CF > Real IP or CF > Incapsula > Real IP.
     
  11. pamamolf

    pamamolf Premium Member Premium Member

    3,585
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    1:23 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Last edited: Oct 21, 2019
  12. pamamolf

    pamamolf Premium Member Premium Member

    3,585
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    1:23 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    If anyone can get this working please post here...

    thank you
     
  13. pamamolf

    pamamolf Premium Member Premium Member

    3,585
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    1:23 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Can we just edit the cloudflare set real ip config and add there the Ezoic ip's ?
     
  14. BamaStangGuy

    BamaStangGuy Active Member

    609
    179
    43
    May 25, 2014
    Ratings:
    +245
    Local Time:
    5:23 PM
    No, already tried that.
     
  15. Xon

    Xon Active Member

    164
    61
    28
    Nov 16, 2015
    Ratings:
    +214
    Local Time:
    7:23 AM
    1.15.x
    MariaDB 10.3.x
    You need to add;
    Code:
    real_ip_recursive on;
    Remove;
    Code:
    real_ip_header CF-Connecting-IP;
    Clouldflare sends a standard X-Forwarded-For anyway.

    I uses to do this for a setup using Cloudflare => Linode loadblancer => real server.
     
    • Like Like x 1
    • Informative Informative x 1
  16. pamamolf

    pamamolf Premium Member Premium Member

    3,585
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    1:23 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    at cloudflare.conf ?
     
    • Like Like x 1
  17. eva2000

    eva2000 Administrator Staff Member

    42,386
    9,571
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,751
    Local Time:
    9:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    nice (y)

     
  18. eva2000

    eva2000 Administrator Staff Member

    42,386
    9,571
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,751
    Local Time:
    9:23 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    in include /usr/local/nginx/conf/cloudflare_customips.conf which is placed in cloudflare.conf so csfcf.conf cronjob doesn't override contents of cloudflare.conf include file.
     
  19. BamaStangGuy

    BamaStangGuy Active Member

    609
    179
    43
    May 25, 2014
    Ratings:
    +245
    Local Time:
    5:23 PM
    Yes, this appears to be working for me now.
     
    • Like Like x 1
  20. pamamolf

    pamamolf Premium Member Premium Member

    3,585
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    1:23 AM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok so i must remove the real_ip_header CF-Connecting-IP from:

    Code:
    /usr/local/nginx/conf/cloudflare.conf
    and add the real_ip_recursive on; at:

    Code:
    /usr/local/nginx/conf/cloudflare_customips.conf
    ?

    Also i must whitelist the Ezoic ip's there like:

    Code:
    set_real_ip_from 34.218.119.32/27;
    set_real_ip_from 34.245.205.0/27;
    set_real_ip_from 34.245.205.64/27;
    set_real_ip_from 35.172.155.192/27;
    set_real_ip_from 35.172.155.96/27;
    real_ip_recursive on;