Learn about Centmin Mod LEMP Stack today
Register Now

Nginx Site still detect cloudflare ip and not the visitor ip.

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by yunos, Nov 15, 2021.

  1. yunos

    yunos Member

    121
    3
    18
    Aug 8, 2015
    Ratings:
    +15
    Local Time:
    3:35 AM
    1.8.0
    i have this uncommented
    include /usr/local/nginx/conf/cloudflare.conf;

    and have this in my vdomain config attached below. Currently using proxy pass to listen to specific port. The issue is that the when ppl use my site, they have to use captcha to proceed further. And the site detect visitors IP but the primary issue is that it all detect cloudflare ip which i dont know how to solve this.


    Code:
    #x# HTTPS-DEFAULT
     server {
      
       server_name cp.domain.com www.cp.domain.com;
       return 302 https://cp.domain.com$request_uri;
       include /usr/local/nginx/conf/staticfiles.conf;
     }
    
    
    server {
      listen 443 ssl http2;
      server_name cp.domain.com www.cp.domain.com;
    
      include /usr/local/nginx/conf/ssl/cp.domain.com/cp.domain.com.crt.key.conf;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # cloudflare authenticated origin pull cert community.centminmod.com/threads/13847/
      #ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/cp.domain.com/origin.crt;
      #ssl_verify_client on;
      #http2_max_field_size 16k;
      #http2_max_header_size 32k;
      #http2_max_requests 50000;
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #add_header Alternate-Protocol  443:npn-spdy/3;
    
      # before enabling HSTS line below read centminmod.com/nginx_domain_dns_setup.html#hsts
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header X-Frame-Options SAMEORIGIN;
      add_header X-Xss-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      #add_header Referrer-Policy "strict-origin-when-cross-origin";
      #add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
      #spdy_headers_comp 5;
      ssl_buffer_size 1369;
      ssl_session_tickets on;
     
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
    
    
      access_log /home/nginx/domains/cp.domain.com/log/access.log combined buffer=256k flush=5m;
      error_log /home/nginx/domains/cp.domain.com/log/error.log;
    
      include /usr/local/nginx/conf/autoprotect/cp.domain.com/autoprotect-cp.domain.com.conf;
      root /home/nginx/domains/cp.domain.com/public;
      # uncomment cloudflare.conf include if using cloudflare for
      # server and/or vhost site
      include /usr/local/nginx/conf/cloudflare.conf;
      include /usr/local/nginx/conf/503include-main.conf;
    
      location / {
      include /usr/local/nginx/conf/503include-only.conf;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Wordpress Permalinks example
      #try_files $uri $uri/ /index.php?q=$uri&$args;
    
            proxy_read_timeout 360s;
            proxy_http_version 1.1;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass http://localhost:8060;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Content-Type-Options nosniff;
            proxy_set_header X-Frame-Options "DENY";
            proxy_set_header Referrer-Policy "strict-origin";
    
      }
        location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { more_set_headers    "Content-Type: text/plain"; } }
    
    }
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    47,498
    10,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,742
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    If you remove the below proxy does Cloudflare real IP show in Centmin Mod Nginx access logs for the proxied site? Only the Centmin Mod Nginx access logs would show the real visitor IP. You would need to do the same treatment on origin backend site that you proxied for revealing real IP for Centmin Mod Nginx proxy to the origin backend site/server config too.
    Code (Text):
           proxy_read_timeout 360s;
           proxy_http_version 1.1;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_pass http://localhost:8060;
           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Content-Type-Options nosniff;
           proxy_set_header X-Frame-Options "DENY";
           proxy_set_header Referrer-Policy "strict-origin";
    

    or at least disable these 2
    Code (Text):
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
     
  3. yunos

    yunos Member

    121
    3
    18
    Aug 8, 2015
    Ratings:
    +15
    Local Time:
    3:35 AM
    1.8.0
    removing those two did the trick. Access log now show visitors origin ip instead of cloudflare. Thanks :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    47,498
    10,769
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,742
    Local Time:
    12:35 PM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Great as I expected :)