Articles in this section

See more

Incorrect IP addresses are logged by Plesk behind a Cloudflare or Google Cloud Load Balancing

Avatar
Stefan Yakubov
Updated
Follow
Plesk for Linux kb: technical Plesk Obsidian for Linux Plesk Onyx for Linux ABT: Group A

Applicable to:

  • Plesk Obsidian for Linux
  • Plesk Onyx for Linux
  • Plesk for Linux

Symptoms

  • Plesk is running behind a Cloudflare or Google Cloud Load Balancing.

  • Internal IP address of load balancer or proxy is displayed in domain logs (Domains > example.com > Logs) instead of the client's IP (real visitor's IP):

    CONFIG_TEXT: Access 192.0.2.2 200 GET / HTTP/1.0

Cause

Proxies and load balancers rewrite the origin IP address and specify the client's IP address in an additional HTTP header.

Resolution

  1. Log into the server via SSH.
  2. Using the next command verify that the remoteip_module Apache module is enabled:

    # (apache2ctl -M || httpd -M) | grep remoteip_module

    The output below means that remoteip_modulemodule is enabled: 

    CONFIG_TEXT: remoteip_module (shared)

Then apply one of the following solutions:

Solution for a single domain with Nginx enabled

  1. Log in to Plesk.

  2. Go to Domains > example.com > Apache & nginx Settings, and add the following content to the Additional nginx directives:

    • For Cloudflare:

      CONFIG_TEXT: real_ip_header CF-Connecting-IP;

    • For Cloudflare Load Balancing:

      CONFIG_TEXT: set_real_ip_from 130.0.0.0/8;
      set_real_ip_from 35.0.0.0/8;
      set_real_ip_from 103.21.244.0/22;
      set_real_ip_from 103.22.200.0/22;
      set_real_ip_from 103.31.4.0/22;
      set_real_ip_from 104.16.0.0/13;
      set_real_ip_from 104.24.0.0/14;
      set_real_ip_from 108.162.192.0/18;
      set_real_ip_from 131.0.72.0/22;
      set_real_ip_from 141.101.64.0/18;
      set_real_ip_from 162.158.0.0/15;
      set_real_ip_from 172.64.0.0/13;
      set_real_ip_from 173.245.48.0/20;
      set_real_ip_from 188.114.96.0/20;
      set_real_ip_from 190.93.240.0/20;
      set_real_ip_from 197.234.240.0/22;
      set_real_ip_from 198.41.128.0/17;
      set_real_ip_from 2400:cb00::/32;
      set_real_ip_from 2606:4700::/32;
      set_real_ip_from 2803:f800::/32;
      set_real_ip_from 2405:b500::/32;
      set_real_ip_from 2405:8100::/32;
      set_real_ip_from 2c0f:f248::/32;
      set_real_ip_from 2a06:98c0::/29;
      real_ip_header X-Forwarded-For;
      real_ip_recursive on;

      Note: It might be required to add other IP address ranges to the set_real_ip_from based on the Google Compute Engine zone used.

Solution for a single domain with Apache only

  1. Log in to Plesk.

  2. Go to Domains > example.com > Apache & Nginx Settings and add the following content to both Additional directives for HTTP and Additional directives for HTTPS:

    Note: The remoteip module should be enabled in Tools & Settings > Apache Web Server

    • For Cloudflare:

      CONFIG_TEXT: RemoteIPHeader CF-connecting-IP

    • For Google Cloud Load Balancing:

      CONFIG_TEXT: RemoteIPHeader X-Forwarded-For
      RemoteIPInternalProxy 130.0.0.0/8
      RemoteIPInternalProxy 35.0.0.0/8

Server-wide solution with Nginx enabled

  1. Connect to the server via SSH.

  2. Download and execute the next script in order to add the Nginx variables globally:

    # curl -L -so /root/cf.sh https://plesk.zendesk.com/hc/article_attachments/12377012552983/cf.sh && chmod 700 /root/cf.sh

  3. Execute the script:

    # /root/cf.sh

Note: The script could be called at the required intervals using Plesk Scheduled Tasks.

Server-wide solution with Apache only

  1. Connect to the server via SSH.

  2. Make sure that /etc/httpd/conf/httpd.conf has the following LogFormat:

    CONFIG_TEXT: LogFormat "%a %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined

  3. Create a new configuration file /etc/httpd/conf.d/cloudflare.conf and add Cloudflare IP addresses there:

    CONFIG_TEXT: RemoteIPHeader CF-Connecting-IP
    RemoteIPTrustedProxy 173.245.48.0/20
    RemoteIPTrustedProxy 103.21.244.0/22
    RemoteIPTrustedProxy 103.22.200.0/22
    RemoteIPTrustedProxy 103.31.4.0/22
    RemoteIPTrustedProxy 141.101.64.0/18
    RemoteIPTrustedProxy 108.162.192.0/18
    RemoteIPTrustedProxy 190.93.240.0/20
    RemoteIPTrustedProxy 188.114.96.0/20
    RemoteIPTrustedProxy 197.234.240.0/22
    RemoteIPTrustedProxy 198.41.128.0/17
    RemoteIPTrustedProxy 162.158.0.0/15
    RemoteIPTrustedProxy 104.16.0.0/13
    RemoteIPTrustedProxy 104.24.0.0/14
    RemoteIPTrustedProxy 172.64.0.0/13
    RemoteIPTrustedProxy 131.0.72.0/22
    RemoteIPTrustedProxy 2400:cb00::/32
    RemoteIPTrustedProxy 2606:4700::/32
    RemoteIPTrustedProxy 2803:f800::/32
    RemoteIPTrustedProxy 2405:b500::/32
    RemoteIPTrustedProxy 2405:8100::/32
    RemoteIPTrustedProxy 2a06:98c0::/29
    RemoteIPTrustedProxy 2c0f:f248::/32

  4. Restart Apache service:

    • For CentOS\RHEL:

      # systemctl restart httpd

    • For Debian\Ubuntu:

      # systemctl restart apache2

Note: For additional information on proper HTTP headers with the client's IP address for non-listed services contact the support of the proxy/load-balancing service or its system administrator.

Comments

0 comments

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles