1. Use the following Nginx module and the following configuration parameters:

   set_real_ip_from 103.21.244.0/22;
   set_real_ip_from 103.22.200.0/22;
   set_real_ip_from 103.31.4.0/22;
   set_real_ip_from 104.16.0.0/12;
   set_real_ip_from 108.162.192.0/18;
   set_real_ip_from 131.0.72.0/22;
   set_real_ip_from 141.101.64.0/18;
   set_real_ip_from 162.158.0.0/15;
   set_real_ip_from 172.64.0.0/13;
   set_real_ip_from 173.245.48.0/20;
   set_real_ip_from 188.114.96.0/20;
   set_real_ip_from 190.93.240.0/20;
   set_real_ip_from 197.234.240.0/22;
   set_real_ip_from 198.41.128.0/17;
   set_real_ip_from 2400:cb00::/32;
   set_real_ip_from 2606:4700::/32;
   set_real_ip_from 2803:f800::/32;
   set_real_ip_from 2405:b500::/32;
   set_real_ip_from 2405:8100::/32;
   set_real_ip_from 2c0f:f248::/32;
   set_real_ip_from 2a06:98c0::/29;

   use any of the following two

   real_ip_header CF-Connecting-IP;
   #real_ip_header X-Forwarded-For;

   That list of prefixes needs to be updated regularly, and we publish the full list in Cloudflare IP addresses.

2. To Include the original visitor IP in your logs, add the variables $http_cf_connecting_ip and $http_x_forwarded_for in the log_format directive.

Also see: Cloudflare and Nginx.

1. Run the following script to install mod_cloudflare as part of EasyApache:

   bash <(curl -s https://raw.githubusercontent.com/cloudflare/mod_cloudflare/master/EasyApache/installer.sh)

2. Upon installing, you will need to recompile your Apache with the new mod_cloudflare plugin.

When using Railgun (or other reverse proxy software, such as Varnish), user's requests will come from your Railgun server instead of Cloudflare. Because requests are not coming directly from Cloudflare, mod_cloudflare will not restore visitor IP addresses by default.

1. To fix this, open up your Apache configuration. This can typically be found in /etc/apache2/apache2.conf, /etc/httpd/httpd.conf, /usr/local/apache/conf/httpd.conf or another location depending on configuration. If you're unsure, ask your hosting provider.

2. At the very end add:

   CloudflareRemoteIPTrustedProxy railgun_address

   So, if your Railgun server is located at 127.0.0.1, it will look like:

   CloudflareRemoteIPTrustedProxy 127.0.0.1

3. If you have more than one server to add to the trusted proxy list, you can add them at the end:

   CloudflareRemoteIPTrustedProxy 127.0.0.1 127.0.0.2

To have Lighttpd automatically rewrite the server IP for the access logs and for your application, you can follow one of the two solutions below.

If your origin only connects to the internet via IPv4:

1. Open your lighttpd.conf file and add mod_extforward to the server.modules list. It must come after mod_accesslog to show the real IP in the access logs (e.g., http://cl.ly/9fRX).

2. Add the following code block anywhere in the lighttpd.conf file after the server modules list.

   $HTTP["remoteip"] == "199.27.128.0/21" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "173.245.48.0/20" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "103.21.244.0/22" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "103.22.200.0/22" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "103.31.4.0/22" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "141.101.64.0/18" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "108.162.192.0/18" 
   {
   extforward.forwarder = ( "all" => "trust" )
   >extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "190.93.240.0/20" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "188.114.96.0/20" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "197.234.240.0/22" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "198.41.128.0/17" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "162.158.0.0/15" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "104.16.0.0/12" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }
   $HTTP["remoteip"] == "172.64.0.0/13" 
   {
   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")
   }

3. Restart Lighttpd.

If your origin connects to the internet with IPv6:

The Lighttpd documentation states that the field, $HTTP["remoteip"], which is required for matching the remote IP ranges does not work when IPv6 is enabled. Using the above method will not work when trying to forward IP ranges.

Here, an alternative solution to forwarding the original IPv6 address using Lighttpd is to trust all proxies (not recommended by Lighttpd). This can be done by:

1. Setting mod_accesslog before mod_extforward in the server.modules list

2. Adding the following lines to lighttpd.conf:

   extforward.forwarder = ( "all" => "trust" )
   extforward.headers = ("CF-Connecting-IP")

3. Restart Lighttpd.

1. Go to your LiteSpeed Web Admin Console.
2. Enable the option Use Client IP in Header in Configuration.
3. Once enabled, your access logs will now show the correct IP addresses, and even PHP's $_SERVER['REMOTE_ADDR'] variable will contain the client real IP address, instead of a Cloudflare IP address, which in itself will resolve most problems you could hit when enabling Cloudflare on PHP-enabled web sites (like WordPress or vBulletin installs).

For IIS 7 - 8:

Follow the directions here.

For IIS 8.5 - 10:

1. In IIS Manager, double click on Logging in the Actions menu of the site you are working on.

2. After this launches, select W3C as the format and then click Select Fields next to the format drop-down in the Log File sub-section.

   

3. Click on Add Field and add in CF-Connecting-IP header.

   

4. Click Ok. You should see your new entry reflected under Custom Fields. Click on Apply when you are back in the Logging window.

   

5. If this is successful, the log file should now have an underscore:

   

   You should also see the change in the fields:

   

6. Restart the site, then W3SVC, then the entire instance if the change doesn’t reflect immediately.

   When using enhanced logging in IIS 8.5+, it does not restore original visitor IP at the application level.

To have Tomcat7 automatically restore the original visitor IP to your access logs and application you will need to add %{CF-Connecting-IP}i into your log schema.

As an example, you could add the below block to your server.xml file.

Which would result in your logs looking like this:

Visitor IP - Cloudflare IP - [04/Dec/2014:23:18:15 -0500] - "GET / HTTP/1.1" - 200 - 1895 - 193d704b85200296-SJC

See this third-party tutorial on restoring original visitor IP with Magento and Cloudflare.

Similarly, Cloudflare did not write this Magento extension, but some of our customers have found it helpful.

To enable correct IP matching when running an Invision Power Board 3 installation through Cloudflare, follow these directions:

Log into your IPB installation's ACP.

1. Click System.

2. Under Overview, click Security.

3. Under Security Center, click Security Settings.

   Check that Trust IP addresses provided by proxies? is green.

IPB4 description of Trust IP addresses provided by proxies?

If your network environment means requests are handled through a proxy (such as in an intranet situation in an office or university, or on a load-balanced server cluster), you may need to enable this setting so that the correct IP address is used. However, when enabled, a malicious user can abuse the system to provide a fake IP address. In most environments, this setting should be left off.

Information about restoring original visitor IP with Simple Machines (SMF) can be found on the SMF Simple Machines forums

If you are using an Apache server, then we would recommend installing mod_cloudflare to restore the visitor IP back to your logs.

If you do not have access to your server to install a mod like mod_cloudflare, then you may be able to modify the core with the directions located here.

More recent versions of MyBB include a Scrutinize User's IP address option.

Admin CP > Configuration > Server and Optimization Options > Scrutinize User's IP address? > Yes

Alternatively, you may install the Cloudflare management plugin available for MyBB 1.6.

MyBB 1.6.0, 1.6.1, 1.6.2, or 1.6.3

1. Navigate to ./inc/functions.php.

2. Go to line 2790.

3. Replace:

   if(isset($_SERVER['REMOTE_ADDR']))

   With:

   if(isset($_SERVER['HTTP_CF_CONNECTING_IP']))

4. Then, replace:

   $ip = $_SERVER['REMOTE_ADDR'];

   With:

   $ip = $_SERVER['HTTP_CF_CONNECTING_IP'];

A member of the Vanilla team has written a Cloudflare plugin for Vanilla to restore original visitor IP to the log files for self-hosted sites.

1. Open includes/GlobalFunctions.php. At approximately line 370, change the following:

   $forward = "\t(proxied
   via {$_SERVER['REMOTE_ADDR']}{$forward})";

   to

   $forward = "\t(proxied
   via {$_SERVER['HTTP_CF_CONNECTING_IP']}{$forward})";

2. Open includes/ProxyTools.php. At approximately line 79, find:

   if ( isset( $_SERVER['REMOTE_ADDR'] ) ){

   and replace with:

   if ( isset( $_SERVER['HTTP_CF_CONNECTING_IP'] ) ){

   The second step only applies to MediaWiki versions 1.18.0 and older. Newer versions of MediaWiki have completely rewritten ProxyTools.php and the following code is no longer present.

3. Find at approximately line 80:

   $ipchain = array( IP::canonicalize($_SERVER['REMOTE_ADDR']) );

   Save and upload to your origin web server.

For versions around 1.27.1:

1. Go to line 1232 in GlobalFunctions.php, change REMOTE_ADDR to HTTP_CF_CONNECTING_IP.

2. Next, go to WebRequest.php, in lines 1151 to line 1159, change REMOTE_ADDR to HTTP_CF_CONNECTING_IP.

A Xenforo user has created a plugin for Cloudflare.

1. Open library/config.php.

2. At the end, add:

   if (isset($_SERVER['HTTP_CF_CONNECTING_IP']))
   { $_SERVER['REMOTE_ADDR']
   = $_SERVER['HTTP_CF_CONNECTING_IP'];}

3. Upload and overwrite.

An outside party has created a module for Cloudflare and PunBB that will restore original visitor IP.

1. Launch cherokee-admin on your server.

2. Navigate to the Cherokee Administration interface in your web browser.

3. Select the Virtual Server for the domain that is being serviced by Cloudflare.

4. On the Logging tab for your selected Virtual Server, enable Accept Forwarded IPs.

5. In the Accept from Hosts box, enter Cloudflare's IP addresses.

You can fix the IP address by changing the PHP IP Server Param field on the Livezilla server configuration to HTTP_CF_CONNECTING_IP.

To restore visitor IP to DataLife Engine:

1. Open:

   /engine/inc/include/functions.inc.php

   Find:

   $db_ip_split = explode( ".", $_SERVER['REMOTE_ADDR'] );

   Change to:

   $db_ip_split = explode(".", $_SERVER['HTTP_CF_CONNECTING_IP'] );

2. Find:

   $ip_split = explode( ".", $_SERVER['REMOTE_ADDR'] );

   Change to:

   $ip_split = explode(".", $_SERVER['HTTP_CF_CONNECTING_IP'] );

3. Open:

   /engine/modules/addcomments.php

   Find:

   $_SERVER['REMOTE_ADDR'],

   Change to:

   $_SERVER['HTTP_CF_CONNECTING_IP'],

4. Find:

   $db_ip_split = explode( ".", $_SERVER['REMOTE_ADDR'] );

   Change to:

   $db_ip_split = explode( ".", $_SERVER['HTTP_CF_CONNECTING_IP'] );

An outside developer has created a Cloudflare extension for TYPO3 that will restore original visitor IP to your logs. The extension will also give the ability to clear your Cloudflare cache.

If you use the hosting control panel VestaCP, you have both Nginx and Apache running on your server. Requests are proxied through Nginx before going to Apache.

Because of this Nginx proxy, you actually need to the instructions to configure Nginx to return the real visitor IP address. Mod_cloudflare for Apache is not needed unless you disable the Nginx server for some requests. Adding mod_cloudflare to Apache will not conflict with the Nginx server configuration.

An outside developer has created a module to restore visitor IP called node_cloudflare.