When using Cloudflare as a Content Delivery Network (CDN) and proxy in front of your Nginx server, the client's IP address is often masked by Cloudflare's servers. This is done for security and caching purposes. However, as a website administrator, you may need to access the client's real IP address for various reasons, such as for logging, geolocation, or security checks.

Here's how you can configure Nginx to retrieve the client's real IP address when using Cloudflare as a proxy:

1. Understanding the HTTP Headers

When Cloudflare proxies a request to your Nginx server, it adds several HTTP headers that contain information about the original request. One of these headers is CF-Connecting-IP, which contains the client's real IP address.

2. Configuring Nginx

To make Nginx use the CF-Connecting-IP header instead of the default X-Forwarded-For header (which can be spoofed), you need to make a few changes to your Nginx configuration.

First, open your Nginx configuration file, typically located at /etc/nginx/nginx.conf or /etc/nginx/conf.d/default.conf.

Next, locate the server block that handles your website's traffic. Inside this block, you'll need to add or modify the set_real_ip_from and real_ip_header directives.

Here's an example configuration:

nginx

http {

...

set_real_ip_from;

real_ip_header CF-Connecting-IP;

server {

...

location / {

...

# Your existing configuration here

# Optionally, you can log the real IP address in the access log

log_format main '$remote_addr - $remote_user [$time_local] "$request" '

'$status $body_bytes_sent "$http_referer" '

'"$http_user_agent" "$http_x_forwarded_for" "$realip_remote_addr"';

access_log /var/log/nginx/access.log main;

...

}

...

}

...

}

Note: Replacewith the actual IP ranges used by Cloudflare. You can find these ranges in the Cloudflare documentation or by logging into your Cloudflare account and navigating to the Networking section.

3. Restart Nginx

After making the changes, save the configuration file and restart Nginx to apply the new settings.

On most Linux distributions, you can use the following command to restart Nginx:

bash

sudo systemctl restart nginx

4. Verifying the Configuration

To verify that Nginx is correctly retrieving the client's real IP address, you can check the access log file (/var/log/nginx/access.log in the example above). Look for entries that include the $realip_remote_addr variable, which should contain the client's real IP address.

Remember to test your configuration thoroughly to ensure that it's working as expected.

By following these steps, you can easily retrieve the client's real IP address when using Cloudflare as a proxy with Nginx. This information can be valuable for logging, geolocation, and security purposes, providing you with a more accurate picture of your website's traffic.