Issue Cloudflare - Logs showing Cloudflare IPs, not client IP

[hunterwolf]

Server operating system version

AlmaLinux 9.7

Plesk version and microupdate number

18.0.73 #5

Hi,

We have tried :

Incorrect IP addresses are logged in the access logs of Plesk domains behind a Cloudflare CDN proxy or Google Cloud Load Balancing - Support Cases from Plesk Knowledge Base

www.plesk.com

But nothing seems to work. Still logs save with cloudflare proxy ip and can't ban IP adress because fail2ban not working correctly.

 

[Raul A.]

You need to implement in nginx conf.d Module ngx_http_realip_module

Add a set_real_ip_from directive for each Cloudflare subnets. IP Ranges (you have links to plain text lists in the article)

 

[hunterwolf]

Thx for reply. but we already apply article, cron job working for update, but nothing. still all logs show cloudflare IP's.

 

[Sebahat.hadzhi]

Hi, @hunterwolf . Could you please confirm which logs exactly are you referring to - domain logs or panel access logs? The IP addresses in the domain name logs should properly reflect the IP addresses after applying the changes in the article. However, that won't apply to panel access logs.

 

[hunterwolf]

Hi, @hunterwolf . Could you please confirm which logs exactly are you referring to - domain logs or panel access logs? The IP addresses in the domain name logs should properly reflect the IP addresses after applying the changes in the article. However, that won't apply to panel access logs.

Thx for reply. I'm talking about domain access and error logs. You can see it in the picture, all cloudflare IP's.

 

[bulent]

Any solution here?
I have applied the same fix but didnt help. In domain accsess logs too many CF IPs.

 

[bulent]

Hi,
I have found the solution. After applying the fix above, I forgot to remove the IPs from Additional nginx directives.
I removed them and now I have visitor IPs in my logs.
In end of the fix it says "Note: The script could be called at the required intervals using Plesk Scheduled Tasks." How often should the script be called?

 

[hunterwolf]

Hi,
I have found the solution. After applying the fix above, I forgot to remove the IPs from Additional nginx directives.
I removed them and now I have visitor IPs in my logs.
In end of the fix it says "Note: The script could be called at the required intervals using Plesk Scheduled Tasks." How often should the script be called?

Hi,

I think cron running once a day would be enough.

But the solution still doesn't work for me. Still logs save with cloudflare proxy ip.
I don't understand which IP address you removed. Which Additional nginx directives are you referring to?

 

[bulent]

I had issue with some bots crowling my server for several days and failtoban was banning the cloudflare IPs. Then I found this article. At the begining didnt work for me, because my configuration was like this



Then I removed the IPs from additional nginx directive and everything worked as expected.
Now in accses logs I see real IPs and failtoban bans them as expected.

 

[hunterwolf]

I see. You had previously added the Cloudflare IP addresses in directive box.

I don't understand why the solution isn't working for me. I followed the article exactly, but it's still the same.

 

[bulent]

Is your nginx proxy settings like mine?
There are two variants in the article , first with nginx proxy and second with only apache.

 

[hunterwolf]

I think I've found where the mistake is.

The file /etc/nginx/conf.d/cloudflare.conf was empty. i execute script file "cf.sh" 2-3 times, still empty.
i remove cloudflare.conf.
When I ran the cf.sh again, it was added correctly.

 

[WebHostingAce]

@hunterwolf,

I tried the following:

• Download and execute the next script in order to add the Nginx variables globally:
  curl -LO https://raw.githubusercontent.com/plesk/kb-scripts/master/cf-nginx-ip-passthrough/cf.sh && chmod 700 /root/cf.sh
• Execute the script:
  bash cf.sh

I can confirm it is working as expected on my side, so I’m not sure why /etc/nginx/conf.d/cloudflare.conf is ending up empty.

From the server, when you run:

#curl -LO https://raw.githubusercontent.com/plesk/kb-scripts/master/cf-nginx-ip-passthrough/cf.sh && chmod 700 /root/cf.sh

and then test these commands:

#curl -sSL https://www.cloudflare.com/ips-v4

#curl -sSL https://www.cloudflare.com/ips-v6

do you see the list of Cloudflare IPs returned?

 

[hunterwolf]

@WebHostingAce
Thx for reply. As I said, it's working normally right now.

Previously, it was creating empty files for some reason. After rm -rf the file, it recreated it containing IP addresses.

 

[WebHostingAce]

@Sebahat.hadzhi I believe this script https://raw.githubusercontent.com/plesk/kb-scripts/master/cf-nginx-ip-passthrough/cf.sh should be improved to prevent such issues.

The current script,

- If Cloudflare returns empty response -> file is empty
- If request fails silently -> file may still be empty
- Script continues anyway

 

[Sebahat.hadzhi]

@WebHostingAce , Thank you for the feedback. I will consult further with our team on the possibility of optimizing the script.