When using Cloudflare as a Content Delivery Network (CDN) and proxy in front
of your Nginx server, the client's IP address is often masked by Cloudflare's
servers. This is done for security and caching purposes. However, as a website
administrator, you may need to access the client's real IP address for various
reasons, such as for logging, geolocation, or security checks.
Here's how you can configure Nginx to retrieve the client's real IP address when using Cloudflare as a proxy:
1. Understanding the HTTP Headers
When Cloudflare proxies a request to your Nginx server, it adds several HTTP headers that contain information about the original request. One of these headers is CF-Connecting-IP, which contains the client's real IP address.
2. Configuring Nginx
To make Nginx use the CF-Connecting-IP header instead of the default X-Forwarded-For header (which can be spoofed), you need to make a few changes to your Nginx configuration.
First, open your Nginx configuration file, typically located at /etc/nginx/nginx.conf or /etc/nginx/conf.d/default.conf.
Next, locate the server block that handles your website's traffic. Inside this block, you'll need to add or modify the set_real_ip_from and real_ip_header directives.
Here's an example configuration:
nginx
http {
...
set_real_ip_from
real_ip_header CF-Connecting-IP;
server {
...
location / {
...
# Your existing configuration here
# Optionally, you can log the real IP address in the access log
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"';
access_log /var/log/nginx/access.log main;
...
}
...
}
...
}
Note: Replace
3. Restart Nginx
After making the changes, save the configuration file and restart Nginx to apply the new settings.
On most Linux distributions, you can use the following command to restart Nginx:
bash
sudo systemctl restart nginx
4. Verifying the Configuration
To verify that Nginx is correctly retrieving the client's real IP address, you can check the access log file (/var/log/nginx/access.log in the example above). Look for entries that include the $realip_remote_addr variable, which should contain the client's real IP address.
Remember to test your configuration thoroughly to ensure that it's working as expected.
By following these steps, you can easily retrieve the client's real IP address when using Cloudflare as a proxy with Nginx. This information can be valuable for logging, geolocation, and security purposes, providing you with a more accurate picture of your website's traffic.