Applicable to:
- Plesk Obsidian for Linux
- Plesk Onyx for Linux
- Plesk for Linux
Symptoms
-
Plesk is running behind a Cloudflare or Google Cloud Load Balancing.
-
Internal IP address of load balancer or proxy is displayed in domain logs (Domains > example.com > Logs) instead of the client's IP (real visitor's IP):
CONFIG_TEXT: Access 192.0.2.2 200 GET / HTTP/1.0
Cause
Proxies and load balancers rewrite the origin IP address and specify the client's IP address in an additional HTTP header.
Resolution
- Log into the server via SSH.
- Using the next command verify that the
remoteip_moduleApache module is enabled:
# (apache2ctl -M || httpd -M) | grep remoteip_module
The output below means that
remoteip_modulemodule is enabled:CONFIG_TEXT: remoteip_module (shared)
Then apply one of the following solutions:
-
Go to Domains > example.com > Apache & nginx Settings, and add the following content to the Additional nginx directives:
-
For Cloudflare:
CONFIG_TEXT: real_ip_header CF-Connecting-IP;
-
For Cloudflare Load Balancing:
CONFIG_TEXT: set_real_ip_from 130.0.0.0/8;
set_real_ip_from 35.0.0.0/8;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header X-Forwarded-For;
real_ip_recursive on;Note: It might be required to add other IP address ranges to the set_real_ip_from based on the Google Compute Engine zone used.
-
-
Go to Domains > example.com > Apache & Nginx Settings and add the following content to both Additional directives for HTTP and Additional directives for HTTPS:
Note: The remoteip module should be enabled in Tools & Settings > Apache Web Server
-
For Cloudflare:
CONFIG_TEXT: RemoteIPHeader CF-connecting-IP
-
For Google Cloud Load Balancing:
CONFIG_TEXT: RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 130.0.0.0/8
RemoteIPInternalProxy 35.0.0.0/8
-
-
Connect to the server via SSH.
-
Download and execute the next script in order to add the Nginx variables globally:
# curl -L -so /root/cf.sh https://plesk.zendesk.com/hc/article_attachments/4406613093138/cf.sh && chmod 700 /root/cf.sh
-
Execute the script:
# /root/cf.sh
Note: The script could be called at the required intervals using Plesk Scheduled Tasks.
-
Connect to the server via SSH.
-
Make sure that
/etc/httpd/conf/httpd.confhas the followingLogFormat:CONFIG_TEXT: LogFormat "%a %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
-
Create a new configuration file
/etc/httpd/conf.d/cloudflare.confand add Cloudflare IP addresses there:CONFIG_TEXT: RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32 -
Restart Apache service:
-
For CentOS\RHEL:
# systemctl restart httpd
-
For Debian\Ubuntu:
# systemctl restart apache2
-
Note: For additional information on proper HTTP headers with the client's IP address for non-listed services contact the support of the proxy/load-balancing service or its system administrator.
Comments
9 comments
Hello Mikhail,
having exactly this issue now.Having Apache and Nginx Recerse Proxy together with CF Free. Moving to a new host now, and have there the CF Server Shield Extension not available in the Web-catalog anymore, why is the CF Extension not available, this would fix the issue directly?
On my old Host i have the CF Server Shield Extension still installed, when i check there i have the File cloudflare.conf with the following entries:
# $remote_addr rewriting in case of NGINX behind CloudFlare.
# See also mod_cloudflare Apache module configuration.
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;
As you can see on the bottom of the File is the entry real_ip_header CF-Connecting-IP; included., is this correct?
Can you please let me know if really just the Ngix Conf has to be adapted, or as well Apache Config? Also what is with Fail 2 Ban or Firewall, WAF etc. must the CF Ips excluded there as well, is there a manual somewhere??
I really dont understand why the CF Extension is not available in the Webcatalog anymore, and i guess im not the only Plesk User with Cloudflare Free Account, having this issues...
Is there the possibility to download / install the last CF Server Shield Extension??
Thx
Chris
Hello Chris,
The ServerShield by Cloudflare extension is not available for installation anymore. You may read additional details here:
Why ServerShield by CloudFlare is not available for installation or purchase in Plesk?
In general, it should be enough to add the Additional Directives for nginx. However, you may check it with Cloudflare support or a Network administrator.
Hi, I have Plesk set up as default as Nginx ( Reverse Proxy Server ) > Apache.
When following the guide for the Server-wide solution with Nginx enabled I get errors:
When I run the provided script cf.sh with the Plesk Scheduled Tasks I get this error:
When I run the provided script in SSH /root/cf.sh I get this error:
How can I fix this?
The documentation is not complete because:
Server-wide solution with Apache only only has the steps for Centos, in Debian for example there is no
/etc/httpd/conf/httpd.conf directory.
but: /etc/apache2/conf-enabled
The documentation is incomplete for Debian and Ubuntu which are the most in need of this guide as Plesk does not keep the Cloudflare module up to date.
Since a couple of days the script stoped working after months working without any problems.
I tried running it manually and get the following error:
Plesk Obsidian
Version 18.0.49 Update 1
CloudLinux 7.9 (Boris Yegorov)
The script is incompatible with the latest Plesk?
@Javier The issue is being investigated in scope of support request you created
Nothing seems to work.
I added these to nginx additional config:
Then restarted nginx and apache.
None of the two lines change IP in nginx proxy log or in apache log. I tried both lines.
I still see only cloudflare ips in the logs.
There is no remoteip module under "tools and settings > apache web server settings".
This is VERY FRUSTRATING, I think you fail at writing important documentation for EXTREMLY common problems.
Edit, I got it working with below configuration, the documentation is unclear, it says to add the IPs list only for cloudflare load balanncing, I don't have load balancing, but you need to add the IPs in order for this to work:
The live plain text IP list from Cloudflare is here: https://www.cloudflare.com/ips-v4
@adrian TNT - thanks, this worked for us too. First time user of Plesk (and nginx) and we've been scratching our heads over the end-user IP address.
Shame this can't be added as a GLOBAL config for nginx as opposed to having to add it to all the hosted domains individually.
On first glance we missed the link above for - Server-wide solution with Nginx enabled - coupled with a daily cron of the cf.sh file the nginx conf list should be kept up-to-date.
Please sign in to leave a comment.