Retrieving the Original IP Addresses of Visitors behind CF

ivansalloum

Hey everyone,

My website is behind Cloudflare, but I'm having trouble getting the original IP addresses of visitors. Enhance isn't doing the trick, and now my WAF is blocking Cloudflare IPs.

I used to do this through nginx and I tried tinkering with the vhost file, but no luck.

Any advice on how to tackle this?

twest

ivansalloum check your WAF settings, there should be a setting you can toggle to change how it detected IPs in the header, it should most certainly have an option that's compatible with Cloudflare. Doesn't have anything to do with enhance.

If you can't find a setting, post what WAF app you're using and maybe someone experienced with it can offer an fix.

xyzulu

The real IP will be in the X-Forwarded-For header sent by cloudflare.

ivansalloum

xyzulu WordPress doesn‘t detect it.

SharedGrid

You will need this: https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/

ivansalloum

SharedGrid I know. I know how to do it but it doesn’t work with Enhance because it doesn’t include the required module.

xyzulu

I have no problems reading the real IP on Enhance. The headers are set by Cloudflare, Enhance don’t interfere with this.

ivansalloum

twest When using nginx with Enhance, the main configuration doesn’t retrieve the real IP address. I should configure this manually and this doesn’t work as well since they don’t have the required module included.

xyzulu

No module is required (only needed if you are wanting to see the real up in the raw server logs).

Explain your issues and we can help

ivansalloum

I'm using NGINX, and to retrieve the original IPs, I need to add this to my current configuration:

# - IPv4
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;

# - IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header CF-Connecting-IP;

But this doesn't work with Enhance. There is no way to make it work as they don't have the ngx_http_realip_module module included in their NGINX image.

I need to retrieve the original IPs because the ninja firewall (a plugin) is blocking CFs' IPs now. This is a huge problem.

And I need to make this applicable globally to all clients, rather than configuring it on a per-client level.

xyzulu

I am not a fan (I don't believe they help security, they just mask real issues and perpetuate the idea that a firewall plugin is actually protecting you.. they also lead to reduced performance) WAF plugins like this.. if Ninja firewall can't provide an option to use the X-Forwarded-for header.. well.. that says much about the quality of the script.

Have you spent the same amount of time on Google regarding this issue as you have posting here about it? I mean.. not that I need to use it.. but one the first hit is: https://gist.github.com/ryanjbonnell/9509696

sigh

ivansalloum

xyzulu The Ninja Firewall has the option to retrieve the original IPs in their .htninja file, and that's what I did to solve the problem for now. However, this doesn't eliminate the need to write custom NGINX config files!

I'm not a developer; although I have programming knowledge, it's not my main work. I'm a Linux admin with four years of experience with NGINX.

Adding this provided config file is the best way to get the original IPs server-side, rather than tinkering around with WordPress and PHP code on the web app side. Just because we don't have the option to write custom NGINX, I need to add everything on the web app side, impacting performance and potentially leading to problems.

You mentioned the Ninja Firewall impacting performance, instead of suggesting Enhance to make it easier to run custom configurations.

I knew I could make it work using their .htninja file, but I wanted to implement it server-side and make it a global configuration for all customers. Do you want me to manually add everything to each customer, rather than applying custom NGINX configuration to all customers at once?

Also, regarding the Ninja Firewall, it is the only firewall that is not bloated, has no performance issues, and blocks almost 99% of threats due to its filtering engine.