Installing mod_cloudflare Apache Module To Get Real Visitor IP Addresses

Posted: 2015-11-19 20:34:28

If your Apache server is using CloudFlare for security, or to take advantage of their CDN network, you’ll notice that all client requests now come-in from CloudFlare IP addresses – and the real visitor IP address is hidden.

Not having access to the visitor/client IP address has significant downsides:
You cannot do IP based access controls.
You do not have valid access logs.
You break rewrite rules, .htaccess configurations, and various scripts and web applications.

mod_cloudflare fixes the above issues by providing Apache and PHP with the originating client IP address.

But there is a twist to all this, as you don’t really want to use a 3rd party Apache module (mod_cloudflare) when there is a perfectly good native solution already provided to you by mod_remoteip! And Apache’s mod_remoteip will do the same job as mod_cloudflare, except even better.

mod_remoteip will pull the original client IP address from the CF-Connecting-IP Header provided in each CloudFlare-based request, and use it as-so (after doing some verification).

The full configuration for mod_cloudflare/mod_remoteip is provided by WampDeveloper Pro, and can be loaded into Apache by un-commenting the loading of wampd_cloudflare.conf in httpd.conf.

For everyone else, here is the full CloudFlare configuration for Apache:

# WampDeveloper Pro CloudFlare Integration

# mod_remoteip configuration documentation - http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
# CloudFlare IP Ranges from -
#   https://www.cloudflare.com/ips
#   https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c
#

#
# To use, just enable your domain name in your CloudFlare account.
# This module and configuration will correctly report the client's true IP / Remote IP (instead of the Proxy IP)
# This fixes issues with web applications, scripts, access and rewrite configurations, and logs
#

<IfModule !mod_remoteip.c>
	LoadModule remoteip_module modules/mod_remoteip.so
</IfModule>

<IfModule mod_remoteip.c>
	# CloudFlare Header
	RemoteIPHeader CF-Connecting-IP
	
	# Trusted Proxy List
	# note - using RemoteIPTrustedProxy instead of RemoteIPInternalProxy
	# note - RemoteIPTrustedProxy does NOT trust Header provided private intranet addresses (local and LAN addresses)
	# note - RemoteIPInternalProxy is a security risk when using an external Proxy
	
	# CloudFlare IPv4 Address Ranges
	RemoteIPTrustedProxy 103.21.244.0/22
	RemoteIPTrustedProxy 103.22.200.0/22
	RemoteIPTrustedProxy 103.31.4.0/22
	RemoteIPTrustedProxy 104.16.0.0/12
	RemoteIPTrustedProxy 108.162.192.0/18
	RemoteIPTrustedProxy 141.101.64.0/18
	RemoteIPTrustedProxy 162.158.0.0/15
	RemoteIPTrustedProxy 172.64.0.0/13
	RemoteIPTrustedProxy 173.245.48.0/20
	RemoteIPTrustedProxy 188.114.96.0/20
	RemoteIPTrustedProxy 190.93.240.0/20
	RemoteIPTrustedProxy 197.234.240.0/22
	RemoteIPTrustedProxy 198.41.128.0/17
	RemoteIPTrustedProxy 199.27.128.0/21
	
	# CloudFlare IPv6 Address Ranges
	RemoteIPTrustedProxy 2400:cb00::/32
	RemoteIPTrustedProxy 2405:8100::/32
	RemoteIPTrustedProxy 2405:b500::/32
	RemoteIPTrustedProxy 2606:4700::/32
	RemoteIPTrustedProxy 2803:f800::/32
</IfModule>

After correcting Apache’s reported client IP and PHP’s reported $_SERVER['REMOTE_ADDR'], this configuration also secures the process by only trusting the Header-provided IP data from CloudFlare servers IP range.