Announcement

Collapse
No announcement yet.

CentOS plugin for grabbing Cloudflare real client IP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • CentOS plugin for grabbing Cloudflare real client IP

    I found this: https://support.cloudflare.com/hc/en...s/360029696071

    But doesn't look like this is in any of the base repos.
    Has anyone installed this from a third party repo?
    Does this actually overwrite the IP that comes into the logs with the true client IP or would you still need to grab the IP in PHP for example via "real client IP"

    Thanks!
    [ JUSTIN ]
    [ OFF unit ]
    [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
    ]

  • #2
    Hi Justec

    I hope your well and keeping safe

    We use the below

    cd /usr/local/src/
    git clone https://github.com/cloudflare/mod_cloudflare.git &&

    cd /usr/local/src/git clone https://github.com/cloudflare/mod_cloudflare.git

    cd mod_cloudflare

    apxs -a -i -c mod_cloudflare.c

    rsetart apache

    httpd -M |grep cloudflare_module

    However, after reading your link to CF, I think I need to unistall mod_cloudflare and in favour of remoteip. You cannot use both mod_cloudflare and remoteip at same time.

    Many thanks and keep safe

    John




    mod_cloudflare for Apache

    Copyright CloudFlare Inc. 2016

    mod_cloudflare.c

    Based on mod_remoteip.c, this Apache extension will replace the remote_ip variable in user's logs with the correct remote IP sent from CloudFlare. The module only performs the IP substitution for requests originating from CloudFlare IPs by default.

    In addition to this, the extension will also set the HTTPS environment variable to "on" in cases where Flexible SSL is in use. This prevents software such as WordPress from being broken by Flexible SSL.

    To install, either run apxs2 directly against the .c source file:
    $ apxs2 -a -i -c mod_cloudflare.c


    An alternative way to install is to use GNU autotools, which requires that autoconf and automake already be installed:
    $ autoconf
    $ ./configure
    $ make
    $ make install


    OS Support
    •CentOS - Supported
    •CloudLinux - Not Supported

    No further configuration is needed. However, if you wish to override the default values, the following directives are exposed:

    CloudFlareRemoteIPHeader

    This specifies the header which contains the original IP. Default:
    CloudFlareRemoteIPHeader CF-Connecting-IP


    CloudFlareRemoteIPTrustedProxy

    This is to add additional trusted IP addresses or ranges from which we will allow CloudFlareRemoteIPHeader to be used from. We will rewrite remote IPs and the SSL variable (in the case of Flexible SSL) from these trusted IPs, additionally DenyAllButCloudflare will not deny requests from IPs listed here. See here for a complete list.

    DenyAllButCloudFlare

    When this is set, we will deny requests from IPs which aren't in the CloudFlareRemoteIPTrustedProxy directive or are not from a Cloudflare IP.

    Note that by default, DenyAllButCloudflare will not allow Remote IPs, they will need to be whitelisted through CloudFlareRemoteIPTrustedProxy.

    Loading the Module

    Note that on some systems, you may have to add a LoadModule directive manually. This should look like:
    LoadModule cloudflare_module /usr/lib/apache2/modules/mod_cloudflare.so


    Replace /usr/lib/apache2/modules/mod_cloudflare.so with the path to mod_cloudflare.so on your system.

    ## Installing apxs/apxs2 ##

    If you cannot find apxs or apxs2, install apache2-dev on Debian and Ubuntu, or httpd-devel on Red Hat and CentOS:
    $ apt-get install apache2-dev
    $ yum install httpd-devel


    Additional Notes
    •If mod_cloudflare and mod_remoteip are enabled on the same web server, the server will crash if they both try to set the remote IP to a different value.
    •Enabling mod_cloudflare will not effect the performance of Apache in any noticeable manner. AB testing both over LAN and WAN show no equivalent numbers with and without mod_cloudflare.
    •If you like, you may also add the directive DenyAllButCloudFlare. This will result in all requests from IPs which are not in the CloudFlareRemoteIPTrustedProxy range being denied with a status of 403.

    Comment


    • #3
      Hi Justec

      Just checking one of the domains using CF, it looks like mod_cloudflare is still working well, but for how long I am not sure

      Many thanks

      John

      Click image for larger version

Name:	mod_cf.png
Views:	113
Size:	47.6 KB
ID:	49239

      Comment


      • #4
        Yes, it seems like CF is no longer officially support mod_cloudflare and is now pushing people to move to mod_remoteip. As far as how it works, do you have to access a special variable in PHP to get the client IP or does the mod overwrite the IP with the real IP?

        How does it look like in logs? I've had a problem where bots overload a website, then my server scan the logs and autoblocks the IP, but it's a CF IP and then I have to go an unblock it. I've now white listed the CF IPs, but this isn't great for when the server is getting hit with a bot.
        [ JUSTIN ]
        [ OFF unit ]
        [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
        ]

        Comment


        • #5
          Hi Justec

          Good question

          I do not use remoteip but use mod_cloudflare and below is an extract from a site which is using CF (www)

          The connecting IP address is correct (it is our IP from here) and the site url is correct to use CF (www is Cname to CF)

          So I think it pulls the correct IP from CF directly by the directive cloudflareremoteipheader to find the cf-connecting-ip - so no rewrites of IP addresses and logs show as below

          217.37 is our ip address and www is CF cname

          I hope that helps a little and sorry if I am wrong

          Many thanks and stay safe

          John

          217.37.nnn.nnn - - [31/Mar/2020:15:54:17 +0100] "GET ///_data/i/upload/2017/05/19/20170519101435-17d2b5a0-th.png HTTP/1.1" 304 - "https://www.CFdomain.url///index.php?/most_visited" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"

          Comment


          • #6
            Interesting, so it looks like if I install the plugin (assuming the newer one works the same) then I can have my logs with the real client IP! That's good news. Thanks for checking that.
            [ JUSTIN ]
            [ OFF unit ]
            [ WEB DESIGN / DEVELOPMENT, GRAPHIC DESIGN, OTHER STUFF
            ]

            Comment


            • #7
              it's interesting, it hadn't happened to me

              Comment

              Working...
              X