Incorrect IP addresses are logged in the access logs of Plesk domains behind a Cloudflare CDN proxy or Google Cloud Load Balancing

Follow

Comments

9 comments

  • Avatar
    Emanuel Schiendorfer

    The solution for nginx (single domain) is not working:

    If I just add real_ip_header CF-Connecting-IP; The IP is still wrong...

    If I try to add the whole code given, I get an error:

    Invalid nginx configuration: nginx: [emerg] "real_ip_header" directive is duplicate in /var/www/vhosts/system/something/conf/vhost_nginx.conf:27 nginx: configuration file /etc/nginx/nginx.conf test failed
    0
    Comment actions Permalink
  • Avatar
    Emanuel Schiendorfer

    Now it's working for me... You have to use the load balancer config, even if you don't use cloudflare load balancer... AND only use the load balancer config. Copying both leads to an error as the line 

    real_ip_header CF-Connecting-IP;

    is duplicated. Pretty obvious, but if you just copy paste, you might run into it ^^

    0
    Comment actions Permalink
  • Avatar
    Mohd Yaakob

    I change this code on line 21 from

    sed -i '1ireal_ip_header CF-Connecting-IP' $CFTEMP

    To

    sed -i '1ireal_ip_header X-Forwarded-For' $CFTEMP

    and work fine to me.

    0
    Comment actions Permalink
  • Avatar
    Stefan Yakubov

    Hi, Mohd Yaakob

    Could you clarify the conditions, when that change in the script is necessary?

    Out of the box on staging environment with CloudFlare-proxied domain I did not encounter issues.

    0
    Comment actions Permalink
  • Avatar
    Mohd Yaakob

    when i execute cf.sh my server still log cloudflare ip. i check on php info i cant find

    $_SERVER['CF_CONNECTING_IP']

    i just find

    $_SERVER['HTTP_X_FORWARDED_FOR']

    That why i change a little to cf.sh script.

    0
    Comment actions Permalink
  • Avatar
    Stefan Yakubov

    Mohd Yaakob

    It's not related to PHP anyhow.

    Unless custom configuration is being applied, provided script does work out of the box as is.

    In case it does the trick in your case, thanks for sharing. It might be useful for some.

    0
    Comment actions Permalink
  • Avatar
    Q

    This script at https://raw.githubusercontent.com/plesk/kb-scripts/master/cf-nginx-ip-passthrough/cf.sh appears to have stopped working over the past 24 hours. This causes the script to halt silently, disabling the Cloudflare nginx configuration.

    Debugging it shows that it is failing with the CURL call. Perhaps there has been a change at Cloudflare...

    Adding a trailing slash (/) after the URL for both IPv4 and IPv6 requests in the curl commands seems to fix the issue. Change the following lines in the cf.sh script:

    Change from:

    curl -sS https://www.cloudflare.com/ips-v4 >$cfTemp && printf "\n" >> $cfTemp
    curl -sS https://www.cloudflare.com/ips-v6 >>$cfTemp

    to:

    curl -sS https://www.cloudflare.com/ips-v4/ >$cfTemp && printf "\n" >> $cfTemp
    curl -sS https://www.cloudflare.com/ips-v6/ >>$cfTemp

    Then remove the cf-stop file and rerun the script:

    rm /etc/nginx/conf.d/cf-stop && bash cf.sh
    0
    Comment actions Permalink
  • Avatar
    Stefan Yakubov

    Hello, Q

    Thank you for the feedback. `-L` option was added to the curl command in script so it'll follow redirection from now on.

    0
    Comment actions Permalink
  • Avatar
    adrian TNT

    This is my exact list that I add under 

    Domains > [DOMAIN NAME] > Apache & nginx Settings > Additional nginx directives 

    For some reason it didn't work to specify the same under service plan and set this for all domains.

    But it works for individual domains.

    The way I see it real_ip_header CF-Connecting-IP tells it from what header field to take the real ip (CF-Connecting-IP in this case), and the list of set_real_ip_from [...] tells it from what parent source to trust this real ip field, otherwise a site visitor can provide this CF-Connecting-IP header field containing a fake ip.

    So you need both these real_ip_header and set_real_ip_from, not sure why above says "for Cloudflare Load Balancing" only.

    # live lists:
    # https://www.cloudflare.com/ips-v4
    # https://www.cloudflare.com/ips-v6
    #

    # !!! important
    real_ip_header CF-Connecting-IP;

    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 104.16.0.0/13;
    set_real_ip_from 104.24.0.0/14;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 131.0.72.0/22;

    set_real_ip_from 2400:cb00::/32;
    set_real_ip_from 2606:4700::/32;
    set_real_ip_from 2803:f800::/32;
    set_real_ip_from 2405:b500::/32;
    set_real_ip_from 2405:8100::/32;
    set_real_ip_from 2a06:98c0::/29;
    set_real_ip_from 2c0f:f248::/32;
    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request