Applicable to:
- Plesk for Linux
Symptoms
-
Plesk is running behind a Cloudflare CDN proxy or Google Cloud Load Balancing.
-
Internal IP address of load balancer, Plesk server or CDN proxy is displayed in domain logs (Domains > example.com > Logs) instead of the client device public IP (real visitor's IP):
CONFIG_TEXT: Access 192.0.2.2 200 GET / HTTP/1.0
Cause
CDN Proxies and load balancers rewrite the origin IP address and specify the client's IP address in an additional HTTP header.
Resolution
- Log into the server via SSH
- Using the next command verify that the
remoteip_module
Apache module is enabled:
# (apache2ctl -M || httpd -M) | grep remoteip_module
The output below means that
remoteip_module
module is enabled:CONFIG_TEXT: remoteip_module (shared)
- If the
remoteip_module
is not enabled, enable it:
Ubuntu/Debian-based OS:
# a2enmod remoteip
Rhel-based OS:
Add the following line:CONFIG_TEXT: LoadModule remoteip_module modules/mod_remoteip.so
to /etc/httpd/conf.modules.d/00-base.conf and restart httpd:
# systemctl restart httpd
Then apply one of the following solutions:
Click on a section to expand
-
Go to Domains > example.com > Apache & Nginx Settings and add the following content to both Additional directives for HTTP and Additional directives for HTTPS:
Note: The remoteip module should be enabled in Tools & Settings > Apache Web Server
CONFIG_TEXT: RemoteIPHeader X-Forwarded-For
- Go to Domains > example.com > Apache & nginx Settings, and add the following content to the Additional nginx directives:
CONFIG_TEXT: real_ip_header X-Forwarded-For;
real_ip_recursive on; - Scroll down and press Apply
-
Go to Domains > example.com > Apache & nginx Settings, and add the following content to the Additional nginx directives:
-
For Cloudflare:
CONFIG_TEXT: real_ip_header CF-Connecting-IP;
-
For Cloudflare Load Balancing:
CONFIG_TEXT: set_real_ip_from 130.0.0.0/8;
set_real_ip_from 35.0.0.0/8;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header X-Forwarded-For;
real_ip_recursive on;Note: It might be required to add other IP address ranges to the set_real_ip_from based on the Google Compute Engine zone used.
-
-
Go to Domains > example.com > Apache & Nginx Settings and add the following content to both Additional directives for HTTP and Additional directives for HTTPS:
Note: The remoteip module should be enabled in Tools & Settings > Apache Web Server
-
For Cloudflare:
CONFIG_TEXT: RemoteIPHeader CF-connecting-IP
-
For Google Cloud Load Balancing:
CONFIG_TEXT: RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 130.0.0.0/8
RemoteIPInternalProxy 35.0.0.0/8
-
-
Connect to the server via SSH.
-
Download and execute the next script in order to add the Nginx variables globally:
# curl -LO https://raw.githubusercontent.com/plesk/kb-scripts/master/cf-nginx-ip-passthrough/cf.sh && chmod 700 /root/cf.sh
-
Execute the script:
# bash cf.sh
Note: The script could be called at the required intervals using Plesk Scheduled Tasks.
-
Connect to the server via SSH
-
Make sure that
/etc/httpd/conf/httpd.conf
(on Debian-based OS the path is/etc/apache2/apache2.conf
) has the followingLogFormat
:CONFIG_TEXT: LogFormat "%a %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
-
Create a new configuration file:
On Rhel-based OS:/etc/httpd/conf.d/cloudflare.conf
On Debian-based OS:/etc/apache2/conf-enabled/cloudflare.conf
-
Add Cloudflare IP addresses in the file created on step 3:
CONFIG_TEXT: RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32 -
Restart Apache service:
-
For CentOS\RHEL:
# systemctl restart httpd
-
For Debian\Ubuntu:
# systemctl restart apache2
-
Note: For additional information on proper HTTP headers with the client's IP address for non-listed services contact the support of the proxy/load-balancing service or its system administrator.
Comments
9 comments
The solution for nginx (single domain) is not working:
If I just add real_ip_header CF-Connecting-IP; The IP is still wrong...
If I try to add the whole code given, I get an error:
Now it's working for me... You have to use the load balancer config, even if you don't use cloudflare load balancer... AND only use the load balancer config. Copying both leads to an error as the line
is duplicated. Pretty obvious, but if you just copy paste, you might run into it ^^
I change this code on line 21 from
To
and work fine to me.
Hi, Mohd Yaakob
Could you clarify the conditions, when that change in the script is necessary?
Out of the box on staging environment with CloudFlare-proxied domain I did not encounter issues.
when i execute cf.sh my server still log cloudflare ip. i check on php info i cant find
i just find
That why i change a little to cf.sh script.
Mohd Yaakob
It's not related to PHP anyhow.
Unless custom configuration is being applied, provided script does work out of the box as is.
In case it does the trick in your case, thanks for sharing. It might be useful for some.
This script at https://raw.githubusercontent.com/plesk/kb-scripts/master/cf-nginx-ip-passthrough/cf.sh appears to have stopped working over the past 24 hours. This causes the script to halt silently, disabling the Cloudflare nginx configuration.
Debugging it shows that it is failing with the CURL call. Perhaps there has been a change at Cloudflare...
Adding a trailing slash (/) after the URL for both IPv4 and IPv6 requests in the curl commands seems to fix the issue. Change the following lines in the cf.sh script:
Change from:
to:
Then remove the cf-stop file and rerun the script:
Hello, Q
Thank you for the feedback. `-L` option was added to the curl command in script so it'll follow redirection from now on.
This is my exact list that I add under
Domains > [DOMAIN NAME] > Apache & nginx Settings > Additional nginx directives
For some reason it didn't work to specify the same under service plan and set this for all domains.
But it works for individual domains.
The way I see it real_ip_header CF-Connecting-IP tells it from what header field to take the real ip (CF-Connecting-IP in this case), and the list of set_real_ip_from [...] tells it from what parent source to trust this real ip field, otherwise a site visitor can provide this CF-Connecting-IP header field containing a fake ip.
So you need both these real_ip_header and set_real_ip_from, not sure why above says "for Cloudflare Load Balancing" only.
Please sign in to leave a comment.