Restore Real IP Address From Cloudflare CDN in Nginx

Cyrus Kao18 Jan 2022

Last modified on 23 Apr 2023 @ 05:27:06.

Cloudflare CDN works just like a reverse proxy, it sits in front of your web servers and forwards client requests to them. So the requests reaching your server actually came from Cloudflare. To restore the original client's IP address, we'll be using ngx_http_realip_module in Nginx to retrieve them from headers.

Finds Out Cloudflare's IP Ranges

In order to trust the requests from a proxy, we must find out Cloudflare's IP ranges at the official site or by API:

IPv4 - https://www.cloudflare.com/ips-v4
IPv6 - https://www.cloudflare.com/ips-v6

Configure Nginx

Create a set_real_ip_from directive for each IP range, and real_ip_header to restore the real IP address from Cloudflare's header CF-Connecting-IP:

http {
	# IPv4
  set_real_ip_from 173.245.48.0/20;
  set_real_ip_from 103.21.244.0/22;
  set_real_ip_from 103.22.200.0/22;
  set_real_ip_from 103.31.4.0/22;
  set_real_ip_from 141.101.64.0/18;
  set_real_ip_from 108.162.192.0/18;
  set_real_ip_from 190.93.240.0/20;
  set_real_ip_from 188.114.96.0/20;
  set_real_ip_from 197.234.240.0/22;
  set_real_ip_from 198.41.128.0/17;
  set_real_ip_from 162.158.0.0/15;
  set_real_ip_from 104.16.0.0/13;
  set_real_ip_from 104.24.0.0/14;
  set_real_ip_from 172.64.0.0/13;
  set_real_ip_from 131.0.72.0/22;
	# IPv6
  set_real_ip_from 2400:cb00::/32;
  set_real_ip_from 2606:4700::/32;
  set_real_ip_from 2803:f800::/32;
  set_real_ip_from 2405:b500::/32;
  set_real_ip_from 2405:8100::/32;
  set_real_ip_from 2a06:98c0::/29;
  set_real_ip_from 2c0f:f248::/32;

	real_ip_header CF-Connecting-IP;
	...
}
Nginx config

set_real_ip_from and real_ip_header are allowed in http, server, location blocks.

Reload Nginx after it's configured:

$ sudo nginx -s reload

Verify IP Address is Real

Check your access_log for the incoming IP addresses:

$ less /var/log/nginx/access.log

...
2001:b011:e601:232d:xxxx:xxxx:xxxx:xxxx - - [18/Jan/2022:05:13:07 +0000] "GET / HTTP/2.0" 200 9894 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"
Output

Comments

Setup Cloudflare Dynamic DNS (DDNS) with CLI on Windows, Mac, Linux

Cloudflare API v4 enables users to update DNS records programmatically, which makes Dynamic DNS (DDNS) implementation possible. I recently wrote a CLI tool called cf-ddns-cli in Node.js to update DNS A (IPv4) and AAAA (IPv6) records with your current IP address, and it's available in Windows, Mac and Linux.

Disable Direct IP Address Access in Nginx on Linux

Nginx's server_name directive indicates the domain name it's listening on. But if none of the server blocks match the incoming request, it will still fall back to the last HTTP/HTTPS server block. So direct access by IP address will probably be caught by some route instead of being dropped, which is often not ideal.

Change DNS Servers (IPv4, IPv6) on Linux

In my opinion, changing DNS servers on Linux is even easier than in Windows. As you only need to do it once and it applies to all the network interfaces. In this guide we'll be covering how to configure DNS servers on all Linux distros and prevent DNS settings from changing by other services.

How to Enable IPv6 for Your Website in Nginx

According to Google's IPv6 adoption statistics, more than 30% of the Internet users are using IPv6 in 2021. In some countries, like France and Germany even have adoption rates over 50%, which makes it essential to adopt IPv6 on your website for international users.

Table of Contents

Comments