Restoring Original Visitor IPs with mod_remoteip in Apache on Ubuntu/Plesk/HestiaCP

Restoring Original Visitor IPs with mod_remoteip in Apache on Ubuntu/Plesk/HestiaCP


In this tutorial, we will walk through the steps to install and configure the mod_remoteip module in Apache, enabling the restoration of original visitor IP addresses when using Cloudflare as a proxy service. If you have checked your server logs and noticed that all IP addresses are from Cloudflare rather than the actual visitors, this guide will help you address the issue by configuring Apache to correctly handle Cloudflare’s proxy IPs.

Prerequisites

Ensure you are logged in as the root user via SSH to perform the required configurations.

Step 1: Enable the mod_remoteip Module

The first step is to enable the mod_remoteip module in Apache. This module is responsible for restoring the original IP addresses of visitors who are routed through Cloudflare.

1. Run the following command to enable the module:

a2enmod remoteip

Step 2: Modify the Apache Configuration File

Next, we need to make changes to the apache2.conf file to use the mod_remoteip configuration.

1. Install the text editor nano if it’s not already installed:

apt install nano

2. Open the Apache configuration file for editing:

nano /etc/apache2/apache2.conf

3. At the end of the file, add the following line to configure Apache to use the X-Forwarded-For header, which Cloudflare sends with each request:

RemoteIPHeader X-Forwarded-For

4. Next, find the LogFormat directive in the configuration file. You will need to modify the log format to ensure that the original visitor IP addresses are logged.

Search for the following line:

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

Replace it with this updated version:

LogFormat "%a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

In this modification, %a is added to the log format, which represents the real IP address of the client, as detected by Cloudflare.

Step 3: Configure Trusted Cloudflare Ips

To ensure that Apache recognizes Cloudflare’s IPs as trusted proxies, we need to create a configuration file that specifies Cloudflare’s IP ranges.

1. Create a new configuration file called remoteip.conf in the /etc/apache2/conf-available/ directory:

nano /etc/apache2/conf-available/remoteip.conf

2. Paste the following configuration into the file. This list includes Cloudflare’s trusted proxy IP ranges. These IPs should be used for identifying the real client IP:

RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/12
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32

3. Save the file and exit the text editor.

Step 4: Restart Apache and Verify

After completing the configuration, restart the Apache service to apply the changes.

1. Restart Apache:

systemctl restart apache2

Once Apache has restarted, check the Apache access logs to confirm that the original IP addresses are now being logged instead of Cloudflare’s proxy IPs. The logs should now show the visitor’s real IP addresses.

That’s It!

By configuring the mod_remoteip module and specifying Cloudflare’s trusted proxy IPs, Apache will correctly log the original IP addresses of visitors, even when using Cloudflare’s proxy service. This process ensures that your logs accurately reflect the actual clients accessing your site.