Installing mod_cloudflare Apache Module To Get Real Visitor IP Addresses

If your Apache server is using CloudFlare for security, or to take advantage of their CDN network, you’ll notice that all client requests now come-in from CloudFlare IP addresses – and the real visitor IP address is hidden.

Not having access to the visitor/client IP address has significant downsides:
You cannot do IP based access controls.
You do not have valid access logs.
You break rewrite rules, .htaccess configurations, and various scripts and web applications.

mod_cloudflare fixes the above issues by providing Apache and PHP with the originating client IP address.

But there is a twist to all this, as you don’t really want to use a 3rd party Apache module (mod_cloudflare) when there is a perfectly good native solution already provided to you by mod_remoteip! And Apache’s mod_remoteip will do the same job as mod_cloudflare, except even better.

mod_remoteip will pull the original client IP address from the CF-Connecting-IP Header provided in each CloudFlare-based request, and use it as-so (after doing some verification).

The full configuration for mod_cloudflare/mod_remoteip is provided by WampDeveloper Pro, and can be loaded into Apache by un-commenting the loading of wampd_cloudflare.conf in httpd.conf.

For everyone else, here is the full CloudFlare configuration for Apache:

# WampDeveloper Pro CloudFlare Integration

# mod_remoteip configuration documentation - http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
# CloudFlare IP Ranges from -
#   https://www.cloudflare.com/ips
#   https://github.com/cloudflare/mod_cloudflare/blob/master/mod_cloudflare.c
#

#
# To use, just enable your domain name in your CloudFlare account.
# This module and configuration will correctly report the client's true IP / Remote IP (instead of the Proxy IP)
# This fixes issues with web applications, scripts, access and rewrite configurations, and logs
#

<IfModule !mod_remoteip.c>
	LoadModule remoteip_module modules/mod_remoteip.so
</IfModule>

<IfModule mod_remoteip.c>
	# CloudFlare Header
	RemoteIPHeader CF-Connecting-IP
	
	# Trusted Proxy List
	# note - using RemoteIPTrustedProxy instead of RemoteIPInternalProxy
	# note - RemoteIPTrustedProxy does NOT trust Header provided private intranet addresses (local and LAN addresses)
	# note - RemoteIPInternalProxy is a security risk when using an external Proxy
	
	# CloudFlare IPv4 Address Ranges
	RemoteIPTrustedProxy 103.21.244.0/22
	RemoteIPTrustedProxy 103.22.200.0/22
	RemoteIPTrustedProxy 103.31.4.0/22
	RemoteIPTrustedProxy 104.16.0.0/12
	RemoteIPTrustedProxy 108.162.192.0/18
	RemoteIPTrustedProxy 141.101.64.0/18
	RemoteIPTrustedProxy 162.158.0.0/15
	RemoteIPTrustedProxy 172.64.0.0/13
	RemoteIPTrustedProxy 173.245.48.0/20
	RemoteIPTrustedProxy 188.114.96.0/20
	RemoteIPTrustedProxy 190.93.240.0/20
	RemoteIPTrustedProxy 197.234.240.0/22
	RemoteIPTrustedProxy 198.41.128.0/17
	RemoteIPTrustedProxy 199.27.128.0/21
	
	# CloudFlare IPv6 Address Ranges
	RemoteIPTrustedProxy 2400:cb00::/32
	RemoteIPTrustedProxy 2405:8100::/32
	RemoteIPTrustedProxy 2405:b500::/32
	RemoteIPTrustedProxy 2606:4700::/32
	RemoteIPTrustedProxy 2803:f800::/32
</IfModule>

After correcting Apache’s reported client IP and PHP’s reported $_SERVER['REMOTE_ADDR'], this configuration also secures the process by only trusting the Header-provided IP data from CloudFlare servers IP range.

One thought on “Installing mod_cloudflare Apache Module To Get Real Visitor IP Addresses”

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>