Getting the Real IP from your web visitors with Cloudflare/NGINX

enhance_dan

Hi everybody,

I admin my own personal Ubuntu 24.04 server with NGINX as the web server, and I'm not using any panel there, just doing/managing everything via CLI. On that server, I’ve configured it to display the real IP addresses of visitors in my server's access logs, even though my sites are behind Cloudflare’s proxy.

I see on the Roadmap it says that Enable passthrough of “real” user IP from known Cloudflare IPs across all web server kinds. is approved, but there isn't an ETA and I'm kind of impatient, so I copied what I did on my personal server over to our Enhance server. 😛

If anybody sees any problem with the below information, like if it will break something with the Enhance panel, or if an Enhance panel update will wipe all of this out, by all means please let me know (I'm new here and just learning the ropes). But if the below won't break any Enhance functionality and an update won't wipe it out, I wanted to share it. Also I didn't use AI to come up with this, I set it up on my server a long time ago and got the information the good old fashioned way, via lots of Google searches and cross-checking. 🙂

So, if you are using NGINX on your server(s), this is how to get your visitors' real IP addresses showing in the access logs.

The Enhance (12.16.0) NGINX build already comes with the http_realip_module compiled, so nothing to do there, but if you want to confirm you can run the below:

nginx -V 2>&1 | grep -o http_realip_module

and if it returns http_realip_module you're good.

Next, create a new directory called conf.d in /etc/nginx

sudo mkdir -p /etc/nginx/conf.d

Then cd into that new /etc/nginx/conf.d directory, and create a file called cloudflare.conf

sudo nano cloudflare.conf

Now, add Cloudflare's IP ranges to that file and save it. As of Feb. 2nd 2026 it would look like this:

#Cloudflare

# - IPv4
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;

# - IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;

real_ip_header CF-Connecting-IP;

Then run the below to check that your .conf file syntax is good:

sudo nginx -t

You'll probably see something like:

nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/yourweb.site.conf:8
nginx: [warn] the "listen ... http2" directive is deprecated, use the "http2" directive instead in /etc/nginx/sites-enabled/yourweb.site.conf:9
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

That warning is because in Nginx versions 1.25.1 and above, Nginx updated its HTTP module ngx_http_core_module by deprecating the additional http2 parameter in the listen directive. Currently Enhance has it as:

listen 443 ssl http2;
listen [::]:443 ssl http2;

It should be:

    listen 443 ssl;
    listen [::]:443 ssl;

    http2 on;

Would be cool if the Enhance team fixed that in a future update. 🙂

Moving on, if you see:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

at the end of the readout you're good and you can reload NGINX:

sudo systemctl reload nginx

After that, if your website is behind Cloudflare's proxy, you should start seeing your web visitors real IP address in your access logs instead of Cloudflare's IP addresses. You can confirm by visiting your website while tail'ing your website's access log, something like:

sudo tail -f /var/local/enhance/webserver_logs/a1234567-100y-4k28-47u9-36gjd8mg6df3.log

And you'll see your real IP address hitting the server as you browse around your site.

Cloudflare's page says "to include the original visitor IP in your logs, add the variables $http_cf_connecting_ip and $http_x_forwarded_for in the log_format directive", but from what I can see the current $remote_addr variable works to pull the real IP address too, so I didn't change anything with the log format on our Enhance server. I did update the log_format on my personal server though with the above recommendation.

Added bonus, if you want to make sure that your cloudflare.conf file is always updated with Cloudflare's latest IP ranges, you can create a bash script and then set a cron job to run nightly to pull the most current IP addresses.

Something like:

In /etc/nginx add a bash script, for example sudo nano cloudflare-ip-whitelist-sync.sh and add the below to the file:

#!/bin/bash

CLOUDFLARE_FILE_PATH=/etc/nginx/conf.d/cloudflare.conf

echo "#Cloudflare" > $CLOUDFLARE_FILE_PATH;
echo "" >> $CLOUDFLARE_FILE_PATH;

echo "# - IPv4" >> $CLOUDFLARE_FILE_PATH;
for i in `curl -s -L https://www.cloudflare.com/ips-v4`; do
    echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH;
done

echo "" >> $CLOUDFLARE_FILE_PATH;
echo "# - IPv6" >> $CLOUDFLARE_FILE_PATH;
for i in `curl -s -L https://www.cloudflare.com/ips-v6`; do
    echo "set_real_ip_from $i;" >> $CLOUDFLARE_FILE_PATH;
done

echo "" >> $CLOUDFLARE_FILE_PATH;
echo "real_ip_header CF-Connecting-IP;" >> $CLOUDFLARE_FILE_PATH;

#test configuration and reload nginx
nginx -t && systemctl reload nginx

Make sure the script is executable:

sudo chmod 700 /etc/nginx/cloudflare-ip-whitelist-sync.sh

Then you can add a cronjob if you want it to run nightly:

sudo crontab -e

and add the below line at the end (change the time to whatever time you want, for example 0 1 * * * for 1AM or 0 2 * * * for 2AM nightly, etc.).

0 1 * * * /etc/nginx/cloudflare-ip-whitelist-sync.sh >/dev/null 2>&1

Save the cronjob and you should be good to go, you're script will run nightly and pull the latest Cloudflare IP ranges so you're never out of date.

That's it. The above should allow you to see your web visitors real IP address in your access logs instead of Cloudflare's IP addresses. Hope it helps.

Again if the above would break anything in the Enhance panel, or if an update would wipe out all of the above work, please let me know! I like learning new things so my feelings won't be hurt if I'm wrong about something. 🙂

rdbf

You don't need the IP ranges, about 3 lines of code (map directive) in nginx.conf is enough, as the module does the work.

AI would suggest your approach, but as usual it doesn't know what it's talking about and there's a much easier way to make it work with Enhance.

enhance_dan

rdbf Cool, what's that easier way?

rdbf AI would suggest your approach, but as usual it doesn't know what it's talking about and there's a much easier way to make it work with Enhance.

Again I didn't use AI, I got this information from a lot of Google searches. I set this up on my personal server more than a year ago. If the websites I got the information from used AI, I can't say, but it was from some popular Linux websites.

rdbf

map $http_cf_connecting_ip $actual_addr { default $http_cf_connecting_ip; "" $remote_addr; }

And then use $actual_addr instead of $remote_addr in the nginx config. In my case, it's in each website vhost log_format line where I enable it. The map directive could maybe also be in nginx.conf. It will show direct IP, or CF connecting IP if the header is sent by cloudflare.

enhance_dan

rdbf That may be fewer lines, but it's not how Cloudflare's Dev docs say to do it.

To be fair, I did ask AI about your map approach because I'm unfamiliar with it, and it disagreed, saying it opened up a security risk.

Whether or not that is a hallucination, I can't say, although I prefer to go with what the Cloudflare Dev Docs recommend.

rdbf In my case, it's in each website vhost log_format line where I enable it.

That seems like a lot of work, you mean you have to go into all of your clients' vhosts and edit the log_format line manually?

smitka

rdbf Map is not a good way.
a) Anyone can then forge this header and bypass any IP limitations.
b) If rate limiting is set, it will still apply to CF addresses, not real source.

rdbf

enhance_dan although I prefer to go with what the Cloudflare Dev Docs recommend.

No worries, apparently there's more ways to achieve similar things.

enhance_dan That seems like a lot of work, you mean you have to go into all of your clients' vhosts

A script that adds functionality to the Enhance Nginx implementation does this automatically.

rdbf

smitka Map is not a good way.
a) Anyone can then forge this header and bypass any IP limitations.
b) If rate limiting is set, it will still apply to CF addresses, not real source.

Depends on what you want to do. Improving the default Enhance log format - yes. Using it as a basis for a firewall - probably not.