Want to subscribe to topics you're interested in?
Become a Member

Cloudflare Getting Real IP From Behind Two Proxies

Discussion in 'System Administration' started by BamaStangGuy, Oct 17, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    11:29 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    not remove, replace with standard one
    Code (Text):
    real_ip_header X-Forwarded-For;
    

    actually in that cause I wouldn't use cloudflare.conf include file at all and use custom one as csfcf.sh cronjob would override cloudflare.conf everytime right now

    i'm going to update csfcf.sh cronjob to use
    Code (Text):
    real_ip_header X-Forwarded-For;
    

    instead of
    Code (Text):
    real_ip_header CF-Connecting-IP;

    so that other non-cloudflare reverse proxies would work too
     
    • Like Like x 1
    • Informative Informative x 1
  2. BamaStangGuy

    BamaStangGuy Active Member

    609
    179
    43
    May 25, 2014
    Ratings:
    +245
    Local Time:
    7:29 AM
    You only need real_ip_recursive on; inside the cloudflare conf. Inside the ezoic one you still use real_ip_header X-Forwarded-For; at the end
     
  3. pamamolf

    pamamolf Premium Member Premium Member

    3,587
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    3:29 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Nginx doesn't start :(

    I add also at the config of the domain under the Cloudflare include this one:

    Code:
    include /usr/local/nginx/conf/ezoic.conf;
    Error:

    Code:
    Starting nginx: nginx: [emerg] "real_ip_header" directive is duplicate in /usr/local/nginx/conf/ezoic.conf:1240
    Should i disable the include for cloudflare.conf ?

    I am using the Ezoic app through Cloudflare....

    The issue is that i have on cloudflare.conf and ezoic.conf at the end the same header:

    Code:
    real_ip_header X-Forwarded-For;
    but how is the proper way to solve it?

    I am attaching the config files here:
     

    Attached Files:

    Last edited: Oct 24, 2019
  4. pamamolf

    pamamolf Premium Member Premium Member

    3,587
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    3:29 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    The confusion is that on post #15 @Xon recommends to remove the header from cloudflare.conf:
    Code:
    real_ip_header CF-Connecting-IP;
    and that seems to work according to @BamaStangGuy

    but @eva2000 recommends to not remove it and change it to:

    Code:
    real_ip_header X-Forwarded-For;
    But the same header exist also to the end of ezoic.conf and conflict...
     
  5. BamaStangGuy

    BamaStangGuy Active Member

    609
    179
    43
    May 25, 2014
    Ratings:
    +245
    Local Time:
    7:29 AM
    This is what I have that works:

    In cloudflare.conf

    Code:
    include /usr/local/nginx/conf/cloudflare_customips.conf;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 131.0.72.0/22;
    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2a06:98c0::/29;
    set_real_ip_from 2c0f:f248::/32;
    real_ip_recursive on;
    In ezoic.conf
    Code:
    <-rest of ips->
    set_real_ip_from 18.188.9.0/27;
    set_real_ip_from 18.188.9.32/27;
    set_real_ip_from 34.217.141.224/27;
    set_real_ip_from 34.218.119.32/27;
    set_real_ip_from 34.245.205.0/27;
    set_real_ip_from 34.245.205.64/27;
    set_real_ip_from 35.172.155.192/27;
    set_real_ip_from 35.172.155.96/27;
    real_ip_header X-Forwarded-For;
    Then in nginx.conf include ezoic.conf underneath cloudflare.conf.
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,587
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    3:29 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Yes i know but the confusion was related to @eva2000 recommendation to not remove the header from the cloudflare.conf ....

    Also as the cronjob from csf will overwrite the contents (if i am not wrong) of the cloudflare.conf i think is better to add the real_ip_recursive on; at the cloudflare_customips.conf ?
     
  7. BamaStangGuy

    BamaStangGuy Active Member

    609
    179
    43
    May 25, 2014
    Ratings:
    +245
    Local Time:
    7:29 AM
    It did not work when I did that.
     
  8. pamamolf

    pamamolf Premium Member Premium Member

    3,587
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    3:29 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    I will wait for @eva2000 to see how to set that as i think your config will revert back by the csf cronjob...
     
  9. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    11:29 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    that works as you have real_ip_header X-Forwarded-For in ezoic.conf as include files in nginx.conf are just like if contents was placed in nginx.conf so cloudflare.conf and ezoic.conf combined contents has the single real_ip_header X-Forwarded-For required for things to work
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    3,587
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    3:29 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    But the csf cronjob will add back the header at cloudflare.conf ?

    If yes then it will conflict and Nginx will not start....

    What to do on that case?
     
  11. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    11:29 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yes csfcf.sh cron would override cloudflare.conf but 123.09beta01 latest update changed to using
    real_ip_header X-Forwarded-For instead so just remove it from ezoic.conf include file and place ezoic.conf before cloudflare.conf include file in nginx.conf

    run manually once the command
    Code (Text):
    /usr/local/src/centminmod/tools/csfcf.sh auto

    to inspect if cloudflare.conf has the updated real_ip_header X-Forwarded-For
     
    • Like Like x 1
    • Informative Informative x 1
  12. pamamolf

    pamamolf Premium Member Premium Member

    3,587
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    3:29 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    @BamaStangGuy
    @Xon
    @eva2000

    can't get the users ip's in my log file :(

    I am using the Ezoic app from Cloudflare apps panel...

    cloudflare.conf
    Code:
    include /usr/local/nginx/conf/cloudflare_customips.conf;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    a few more ip's here...
    real_ip_header X-Forwarded-For;
    cloudflare_customips.conf
    Code:
    real_ip_recursive on;
    ezoic.conf
    Code:
    set_real_ip_from 34.217.141.224/27;
    set_real_ip_from 34.218.119.32/27;
    set_real_ip_from 34.245.205.0/27;
    set_real_ip_from 34.245.205.64/27;
    set_real_ip_from 35.172.155.192/27;
    set_real_ip_from 35.172.155.96/27;
    a few more ip's here...
    

    Domain config:

    Code:
      include /usr/local/nginx/conf/ezoic.conf;
      include /usr/local/nginx/conf/cloudflare.conf;
    Any ideas?
     
    Last edited: Nov 26, 2019
  13. pamamolf

    pamamolf Premium Member Premium Member

    3,587
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    3:29 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Does the load of real_ip_recursive on; matters?

    If yes then i think is not working for me as the order is:

    ezoic ip's
    then
    real_ip_recursive on;
    then
    cloudflae ip's with real_ip_header X-Forwarded-For; at the end...

    Maybe to get that work it must be:

    real_ip_recursive on;
    then
    cloudflae ip's WITHOUT real_ip_header X-Forwarded-For; at the end...
    then
    ezoic ip's WITH real_ip_header X-Forwarded-For; at the end...

    and:
    Code:
    include /usr/local/nginx/conf/cloudflare.conf;
    include /usr/local/nginx/conf/ezoic.conf;
    What do you think?
     
  14. pamamolf

    pamamolf Premium Member Premium Member

    3,587
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    3:29 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    @BamaStangGuy

    Did you add the ezoic include only in the main Nginx config or in the domain Nginx config also?

    Thank you
     
  15. negative

    negative Active Member

    360
    40
    28
    Apr 11, 2015
    Ratings:
    +82
    Local Time:
    3:29 PM
    1.9.10
    10.1.11
    Btw, do you advice to using the Ezoic service ?
     
  16. pamamolf

    pamamolf Premium Member Premium Member

    3,587
    345
    83
    May 31, 2014
    Ratings:
    +667
    Local Time:
    3:29 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    I assume that it depends on each case of usage but in my case i got an income increase of around 40% but also a noticeable increase at loading time for ads...