Is this the solution for using the free Cloudflare proxied CDN with Mautic and a Wordpress website so the real visitor’s IP is still shown in Mautic? (I’m aware Cloudflare in their Enterprise (expensive) edition has support for the proxy protocol … but I’m using the free version which doesn’t allow that.)
I’m going to oversimplify this by saying that the same approach is taken for Cloudflare as it is on most reverse proxy or proxy services that are placed in front of an Nginx web server.
You need to properly set up Nginx via Nginx’s ngx_http_realip_module module and you’ll need to whitelist the Cloudflare IPv4 addresses. You should also prevent IP leaks which need to you enable Cloudflare Authenticated Origin Pull certificates on your Cloudflare Full SSL enabled sites.
Sadly, this is not trivial on your own VPS and likely near-impossible on a shared host. In the end, it might just be safer to turn off the (orange) proxy that comes with the Cloudflare Free Plan.
If Matomo is running behind Cloudflare CDN, then Matomo can only see the Cloudflare servers’ IP address. To show the visitors’ real IP address in Nginx, edit the Nginx main configuration file.
sudo nano /etc/nginx/nginx.conf
Add the following directives in http section.
set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 199.27.128.0/21; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; # use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For;
set_real_ip_from defines trusted addresses, in this case Cloudflare IP addresses, that are known to send correct replacement addresses. Save and close the file. Then reload Nginx for the changes to take effect.
Setting up NGINX to use TLS Authenticated Origin Pulls
For authenticated origin pulls to work, use FullSSL in the Cloudflare SSL/TLS app, and update the origin web server SSL configuration. Download origin-pull-ca.pem origin-pull-ca.pem and place the certificate in a file on your origin web server, for example in /etc/nginx/certs/cloudflare.crt
Then add these lines to the SSL configuration for your origin web server:
Oh boy…you’re potentially asking for a world of hurt if you incorrectly muck with nginx.conf files. Nginx setups are often not the same from host to host and this code here would not work for the multiple servers I maintain. Chances are very good that your host has it setup the way they want so be careful!
Yes, set_real_ip_from within the http context is the correct implementation.
Here are some potential trouble spots:
You’ll need a system.d/cronjob to update this list as Cloudflare updates its IP ranges. It’s updated 2-4 times a year.
Depending on your host, you may need an additional real_ip_recursive on; directive in addition to real_ip_header CF-Connecting-IP; or real_ip_header X-Forwarded-For; Ask your host.
Before reloading nginx, test with nginx -t.
Interference from the server-side firewall(s). Depending on the configuration, UFW, IPTables, and CSF might not be too happy so be sure to whitelist appropriately there.
Check if your nginx has IPv6 Support. If not, drop those references.
If you’re not into debugging nginx, the likely best practice here is to create a brand new .conf file and use nginx include directive to reference it within nginx.conf. That should be the one and only modification made to the original nginx.conf.
For those reading this thread later, this is the nature of the implementation for another reverse proxy in front of nginx (Varnish, HAProxy, Google PageSpeed service, Cloud DDOS proxy, CloudFlare, Incapsula, etc.). Here’s the IP ranges for AWS Cloudfront and Incapsula.
For Authenticated Origin Pulls…
Unless you’re concerned with IP leaks to your origin nginx server, I wouldn’t bother with going for Full Strict on the Cloudflare SSL. Full SSL fits most use cases. On top of that, authenticated Origin Pull certs expire and you’d need some sort of system - manual or otherwise - for updating them.
