Skip to main content

Configuring NGINX to Retrieve Real IP from Cloudflare

When using Cloudflare as a reverse proxy, all incoming requests to your server will appear to come from Cloudflare’s IP addresses instead of the actual client IP addresses. To correctly log the real IP address of the client for auditing purposes, you need to configure NGINX to extract and log the client’s real IP address. This guide explains how to configure NGINX to retrieve the real client IP from Cloudflare.

Step-by-Step Configuration

  1. Update Cloudflare IP Ranges in NGINX Configuration To retrieve the real IP address of a client, you must inform NGINX about the IP ranges used by Cloudflare. This allows NGINX to trust the X-Forwarded-For or CF-Connecting-IP headers provided by Cloudflare. To Get Ip list of cloudflare Visit: https://www.cloudflare.com/en-in/ips/ Add the following lines to your NGINX configuration file (usually found in /etc/nginx/nginx.conf or a specific configuration file in /etc/nginx/conf.d/): 
    # Trust Cloudflare's IP ranges
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
    These lines tell NGINX to trust Cloudflare’s proxy addresses, allowing it to accept the real client IP forwarded by Cloudflare.
  2. Specify the Header for the Real IP Next, specify which header NGINX should use to determine the real client IP. Cloudflare uses the CF-Connecting-IP header to pass the original client IP. Add the following directive: 
    real_ip_header CF-Connecting-IP;
    This tells NGINX to look for the client’s real IP address in the CF-Connecting-IP header.
  3. Enable Recursive Real IP Resolution To ensure NGINX processes the real_ip_header correctly even if multiple proxies are involved, enable recursive resolution: 
    real_ip_recursive on;
    With real_ip_recursive set to on, NGINX will search the entire header chain to find the first non-trusted IP and use that as the client’s IP.
  4. Log the Real IP Ensure your access logs are set to log the correct client IP. This is usually the default behavior if real_ip_header is set correctly. You can verify your logging format in the http block of your NGINX configuration: 
    access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
    The access log will now record the real client IP address.
  5. Reload NGINX Configuration After making the changes, save the configuration file and reload NGINX to apply the new settings: 
    sudo systemctl reload nginx
  6. Example configuration nginx.conf 
    user                 www-data;
pid                  /run/nginx.pid;
worker_processes     auto;
worker_rlimit_nofile 65535;

# Load modules
include              /etc/nginx/modules-enabled/*.conf;

events {
    multi_accept       on;
    worker_connections 65535;
}

http {
    charset                utf-8;
    sendfile               on;
    tcp_nopush             on;
    tcp_nodelay            on;
    server_tokens          off;
    log_not_found          off;
    types_hash_max_size    2048;
    types_hash_bucket_size 64;
    client_max_body_size   16M;
    underscores_in_headers on;


    # Logging 
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 104.16.0.0/13;
    set_real_ip_from 104.24.0.0/14;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 131.0.72.0/22;

    real_ip_header CF-Connecting-IP;
    real_ip_recursive on;


    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    include                /etc/nginx/conf.d/*.conf;
    include                /etc/nginx/sites-enabled/*;
    
    }

Use Case

By following this configuration, you can ensure that your NGINX server logs and utilizes the real IP address of clients who access your site through Cloudflare. This is particularly useful for:
  • Security Auditing: Keeping accurate logs of visitor IP addresses for security and auditing purposes.
  • Rate Limiting and Access Control: Implementing rate limits and access controls based on the actual IP address of the client, rather than Cloudflare’s proxy IPs.
  • Troubleshooting and Analysis: Better understanding of traffic patterns and potential malicious activity by correctly identifying client IP addresses.
By correctly configuring NGINX with Cloudflare, you maintain an accurate record of user interactions, which is crucial for both security and operational insights.
This documentation should help you configure your NGINX server to correctly interpret the real client IP addresses behind the Cloudflare proxy. Make sure to regularly check for updates to Cloudflare’s IP ranges and update your configuration accordingly.