Posted: 2015-11-19 20:34:28
If your Apache server is using CloudFlare for security, or to take advantage of their CDN network, you’ll notice that all client requests now come-in from CloudFlare IP addresses – and the real visitor IP address is hidden.
Not having access to the visitor/client IP address has significant downsides:
You cannot do IP based access controls.
You do not have valid access logs.
You break rewrite rules, .htaccess configurations, and various scripts and web applications.
mod_cloudflare fixes the above issues by providing Apache and PHP with the originating client IP address.
But there is a twist to all this, as you don’t really want to use a 3rd party Apache module (mod_cloudflare) when there is a perfectly good native solution already provided to you by mod_remoteip! And Apache’s mod_remoteip will do the same job as mod_cloudflare, except even better.
mod_remoteip will pull the original client IP address from the
CF-Connecting-IP Header provided in each CloudFlare-based request, and use it as-so (after doing some verification).
The full configuration for mod_cloudflare/mod_remoteip is provided by WampDeveloper Pro, and can be loaded into Apache by un-commenting the loading of wampd_cloudflare.conf in httpd.conf.
For everyone else, here is the full CloudFlare configuration for Apache:
# WampDeveloper Pro CloudFlare Integration # mod_remoteip configuration documentation - http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html # CloudFlare IP Ranges from - # https://www.cloudflare.com/ips # https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c # # # To use, just enable your domain name in your CloudFlare account. # This module and configuration will correctly report the client's true IP / Remote IP (instead of the Proxy IP) # This fixes issues with web applications, scripts, access and rewrite configurations, and logs # <IfModule !mod_remoteip.c> LoadModule remoteip_module modules/mod_remoteip.so </IfModule> <IfModule mod_remoteip.c> # CloudFlare Header RemoteIPHeader CF-Connecting-IP # Trusted Proxy List # note - using RemoteIPTrustedProxy instead of RemoteIPInternalProxy # note - RemoteIPTrustedProxy does NOT trust Header provided private intranet addresses (local and LAN addresses) # note - RemoteIPInternalProxy is a security risk when using an external Proxy # CloudFlare IPv4 Address Ranges RemoteIPTrustedProxy 18.104.22.168/22 RemoteIPTrustedProxy 22.214.171.124/22 RemoteIPTrustedProxy 126.96.36.199/22 RemoteIPTrustedProxy 188.8.131.52/12 RemoteIPTrustedProxy 184.108.40.206/18 RemoteIPTrustedProxy 220.127.116.11/18 RemoteIPTrustedProxy 18.104.22.168/15 RemoteIPTrustedProxy 22.214.171.124/13 RemoteIPTrustedProxy 126.96.36.199/20 RemoteIPTrustedProxy 188.8.131.52/20 RemoteIPTrustedProxy 184.108.40.206/20 RemoteIPTrustedProxy 220.127.116.11/22 RemoteIPTrustedProxy 18.104.22.168/17 RemoteIPTrustedProxy 22.214.171.124/21 # CloudFlare IPv6 Address Ranges RemoteIPTrustedProxy 2400:cb00::/32 RemoteIPTrustedProxy 2405:8100::/32 RemoteIPTrustedProxy 2405:b500::/32 RemoteIPTrustedProxy 2606:4700::/32 RemoteIPTrustedProxy 2803:f800::/32 </IfModule>
After correcting Apache’s reported client IP and PHP’s reported
$_SERVER['REMOTE_ADDR'], this configuration also secures the process by only trusting the Header-provided IP data from CloudFlare servers IP range.