Is this the solution for Cloudflare (free) + Mautic + Nginx (visitor's real IP)?

Is this the solution for using the free Cloudflare proxied CDN with Mautic and a Wordpress website so the real visitor’s IP is still shown in Mautic? (I’m aware Cloudflare in their Enterprise (expensive) edition has support for the proxy protocol … but I’m using the free version which doesn’t allow that.)

MY SETUP:

  • Mautic 3.2.4 on a separate Ubuntu 20.04 VPS (MAUTIC.mywebsite.org).
  • NGINX Webserver. PHP. 7.3
  • WEBSITE: Wordpress (on shared hosting)

ISSUE:

Want to use Cloudflare (and its proxying ability) yet still be able to see visitors real IP’s within Mautic.

Possible Solution?

Nginx restore real IP address with the ngx_http_realip_module as specified here?

Nginx restore real IP address when behind a reverse proxy - nixCraft

I haven’t a clue what I’m doing so before trying to follow the guide above, could someone confirm if this is the best option and the guide seems ok?

Thank you!

I’m going to oversimplify this by saying that the same approach is taken for Cloudflare as it is on most reverse proxy or proxy services that are placed in front of an Nginx web server.

You need to properly set up Nginx via Nginx’s ngx_http_realip_module module and you’ll need to whitelist the Cloudflare IPv4 addresses. You should also prevent IP leaks which need to you enable Cloudflare Authenticated Origin Pull certificates on your Cloudflare Full SSL enabled sites.

Sadly, this is not trivial on your own VPS and likely near-impossible on a shared host. In the end, it might just be safer to turn off the (orange) proxy that comes with the Cloudflare Free Plan.

Forgot the link to the current IPv4 address pool that Cloudflare is using at any given time.

Thanks @DavidSchargel

So the steps for part one (pertaining to the realip module) would look like this? (Copied from a Linuxbabe tutorial on installing Matomo behind Cloudflare – Install Matomo Web Analytics (Piwik) on Ubuntu 20.04 with Apache/Nginx)

Running Matomo Behind Cloudflare CDN

If Matomo is running behind Cloudflare CDN, then Matomo can only see the Cloudflare servers’ IP address. To show the visitors’ real IP address in Nginx, edit the Nginx main configuration file.

sudo nano /etc/nginx/nginx.conf

Add the following directives in http section.

set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 199.27.128.0/21; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; # use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For;

set_real_ip_from defines trusted addresses, in this case Cloudflare IP addresses, that are known to send correct replacement addresses. Save and close the file. Then reload Nginx for the changes to take effect.

sudo systemctl reload nginx

and for the second part: (Authenticated Origin Pulls – Cloudflare Help Center)

Setting up NGINX to use TLS Authenticated Origin Pulls

For authenticated origin pulls to work, use Full SSL in the Cloudflare SSL/TLS app, and update the origin web server SSL configuration. Download origin-pull-ca.pem origin-pull-ca.pem and place the certificate in a file on your origin web server, for example in /etc/nginx/certs/cloudflare.crt

Then add these lines to the SSL configuration for your origin web server:

ssl_client_certificate /etc/nginx/certs/cloudflare.crt; ssl_verify_client on;

Does that pretty well summarise the steps needed to be taken?

Oh boy…you’re potentially asking for a world of hurt if you incorrectly muck with nginx.conf files. Nginx setups are often not the same from host to host and this code here would not work for the multiple servers I maintain. Chances are very good that your host has it setup the way they want so be careful!

Yes, set_real_ip_from within the http context is the correct implementation.

Here are some potential trouble spots:

  • You’ll need a system.d/cronjob to update this list as Cloudflare updates its IP ranges. It’s updated 2-4 times a year.
  • Depending on your host, you may need an additional real_ip_recursive on; directive in addition to real_ip_header CF-Connecting-IP; or real_ip_header X-Forwarded-For; Ask your host.
  • Before reloading nginx, test with nginx -t.
  • Interference from the server-side firewall(s). Depending on the configuration, UFW, IPTables, and CSF might not be too happy so be sure to whitelist appropriately there.
  • Check if your nginx has IPv6 Support. If not, drop those references.

If you’re not into debugging nginx, the likely best practice here is to create a brand new .conf file and use nginx include directive to reference it within nginx.conf. That should be the one and only modification made to the original nginx.conf.

For those reading this thread later, this is the nature of the implementation for another reverse proxy in front of nginx (Varnish, HAProxy, Google PageSpeed service, Cloud DDOS proxy, CloudFlare, Incapsula, etc.). Here’s the IP ranges for AWS Cloudfront and Incapsula.


For Authenticated Origin Pulls…
Unless you’re concerned with IP leaks to your origin nginx server, I wouldn’t bother with going for Full Strict on the Cloudflare SSL. Full SSL fits most use cases. On top of that, authenticated Origin Pull certs expire and you’d need some sort of system - manual or otherwise - for updating them.

Your host provider has mod_cloudflare available?

I think that mod_cloudflare is for Apache & LiteSpeed only and that set_real_ip_from is the appropriate equivalent for nginx.

Thanks, David … I’m looking at and trying to assimilate the info :slight_smile: