Articles in this section

IP Access Restriction Management doesn't work as expected when the hostname is behind Cloudflare

Sergey Senko
Updated
kb: bug Plesk for Linux cloudflare

Applicable to:

  • Plesk for Linux

Symptoms

  • In Tools and Settings > IP Access Restriction Management several IP are restricted to access Plesk UI.

  • The hostname used to access Plesk over https://hostname:8443 is behind Cloudflare:

    CONFIG_TEXT: curl -kI https://hostname:8443 2> /dev/null | grep Server
    Server: cloudflare

  • Access from the restricted IPs is not blocked as expected.

Cause

The hostname is behind Cloudflare.
In the case of Cloudflare or any other CDN or proxy server, the remote peer of the connection to Plesk is the CDN/proxy instance, not the end user's computer. Usually CDN/proxy adds information about the original client's IP in the HTTP header. In particular, Cloudflare adds 'X-Forwarded-For' and 'CF-Connecting-IP' headers. But a webserver that handles the incoming connection cannot trust any data in headers, that is why the IP address of the CDN/proxy should be trusted by the webserver configuration.

Resolution

As currently sw-cp-server does not include realip module, use one of the solutions below:

  1. Use a custom domain name (or a hostname) with a 443 port for Plesk access: Administrator's Guide: Customizing Plesk URL.
    In this case, the frontend nginx that includes realip module handles the request. The official solution provided by Cloudflare may be used in this case: Couldflare: Restoring original visitor IPs.

  2. Use a custom domain name or a subdomain, for example, https://plesk.hostname without Cloudflare as the entry point to Plesk. In this case, there will be no CDN in front of Plesk.

  3. Configure Plesk to trust Cloudflare.
    Currently, there is a [restriction when Plesk does not allow IP ranges in the configuration. Such behavior is known as the Plesk bug with ID #PPP-52375, which is planned to be fixed in future Plesk updates.
    However, it is possible to use some particular IP addresses. The lines like the below may be added to the panel.ini file. Add them using the Panel.ini Editor extension or by modifying the /usr/local/psa/admin/conf/panel.ini directly on the server:

    CONFIG_TEXT: [panel]
    realIpFrom = 127.0.0.1, <CloudflareIP1>, <CloudflareIP2>

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.