How to see CF IP?

Hi,

We are running behind CloudFlare (on most sites, but not all). I’m still seeing some traffic coming from what seems to be countries we have blocked. So I’m trying to see if I can actually see the CF IP as well in the log. So I added this into nginx.conf:

    map $realip_remote_addr $via_cf {

        ""       "direct";      # no real_ip rewrite -> not from Cloudflare range

        default  "cloudflare";  # real_ip rewrote -> came from a Cloudflare IP

    }

We are using nginx + Apache, so in nginx config we have:

   location / {

        include /etc/nginx/alibabamain-deny.conf;       

        proxy_pass https://170.187.188.92:8443;

        location ~* ^.+\.(jpg|jpeg|gif|png|ico|svg|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|odt|ods|odp|odf|tar|wav|bmp|rtf|js|mp3|avi|mpeg|flv|html|htm)$ {

            try_files  $uri @fallback;

            root       /home/wbssystem/web/xxx.nl/public_html;

            access_log /var/log/apache2/domains/xxx.nl.log combined;

            access_log /var/log/apache2/domains/xxx.nl.bytes bytes;

            expires    max;

        }

    }

I reboot nginx, and now I’m looking where the “combined” log is set?

access_log /var/log/apache2/domains/xxx.nl.log combined;

I must be missing something stupid

Thanks!

Andy

Hi,

Where are you blocking them, in Hestia or Cloudflare?

If you are blocking them in Hestia, take a look to this post:

Hi

We are blocking them at Cloudflare’s end via the rules. Most of them are blocked, but I’m still seeing some getting through that I’m not convinced should be. So I’m trying to see if I can set a flag / show the proxy IP of Cloudflare, if it exists - so I could then confirm if they are bypassing CF (by using the old exposed IPs from the old DNS). If thats the case, then I need to lock the sites down so they only allow CF IPs - but I don’t really want to do it server-wide, as not all accounts use it

Cheers

Andy

Hi,

Edit /etc/nginx/nginx.conf and add this new log_format:

log_format                      cloudflare '$remote_addr CF_IP:$realip_remote_addr $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

To test it, edit the nginx conf of one of your domains /etc/nginx/conf.d/domains/example.net.conf and /etc/nginx/conf.d/domains/example.net.ssl.conf and instead of combined, use the new cloudflare log format.

Before:

access_log  /var/log/nginx/domains/example.net.log combined;

After:

access_log  /var/log/nginx/domains/example.net.log cloudflare;

Once done, restart nginx.

systemctl restart nginx

If it works, remember that you should create a new template for your domain to apply the changes permanently.

Also, I’ve assumed that you are using Nginx only.

Thanks. I finally figured it out… CF was accessing the http version, and I was editing the ssl version config… duh! So although what I was seeing on the frontend was SSL, the bit CF was calling was http … thus is was never calling my new log. Now it works perfectly.

Thanks

I apologize if this is a stupid question, I’ve been reading for several days and there are a lot of concepts, as I’m looking to migrate my sites to this new panel.
My idea is that, since I’m also using Cloudflare, I want site visitors to log in with their real IP addresses. Is the procedure described here the correct one for this? I’ve seen that the Cloudflare IPs are in this file: /etc/nginx/conf.d/cloudflare.inc, so I deduced that it’s configured for this, but right now, I’m completely confused…

Thanks

No

No worries, you don’t need to do anything. The real IP will appear in your logs. This topic was about logging Cloudflare’s IP as well, not only the clients’ IPs.

Okay, thanks, sometimes I do seem… silly…

I’m dealing with IPv6, trying to enable it everywhere, and I’ve read so much that… I saw this thread and thought maybe I should try it.

Thanks and sorry

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.