Nginx as Reverse Proxy for Apache, Restoring original visitor IPs. (Cloudflare & No Cloudlare)

boo

Active member
Registered
Joined
Aug 29, 2019
Messages
35
Points
18

Reputation:

This is my basic test setup: (no cloudflare)

sudo nano /etc/nginx/sites-available/default

Code:
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
        proxy_pass https://127.0.0.1:444;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
Ive changed default ports of apache to 8080 and 444 and added the above to /etc/nginx/sites-available/default. As you can see, nginx will listen on 443 and pass to 444 (apache).

Xenforo

You will see IP 127.0.0.1 in xenforo logs and apache access.log.

Fix xenforo

Add to src/config.php

Code:
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
Apache access.log fix

We can modify the LogFormat line in /etc/apache2/apache2.conf and replace %h with %{X-Forwarded-For}i:
nano /etc/apache2/apache2.conf
Code:
[...]
#LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
[...]
Please now check your apache access.log and xenforo. make sure the IP is correct.


Adding cloudflare

What happens when i enable cloudfare?

Xenforo will show the correct IP.
Apache access.log will show both the correct IP and cloudflares IP for each user access.
Nginx access.log will show just cloudflares IP.

Fix

/etc/nginx/nginx.conf

Below http { add:

Code:
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 199.27.128.0/21;
    real_ip_header     CF-Connecting-IP;
After making changes to apache or nginx always restart them.

sudo systemctl restart apache2
sudo systemctl restart nginx
 

thomsa

Well-known member
Registered
Joined
Jun 22, 2019
Messages
196
Points
43

Reputation:

this to hard config. if you have directadmin/cpanel/plesk/vestacp/centos panel you not setup this.
 

boo

Active member
Registered
Joined
Aug 29, 2019
Messages
35
Points
18

Reputation:

The first part doesn't apply if you are using panels like plesk, cpanel:

sudo nano /etc/nginx/sites-available/default

Code:
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
proxy_pass https://127.0.0.1:444;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Ive changed default ports of apache to 8080 and 444 and added the above to /etc/nginx/sites-available/default. As you can see, nginx will listen on 443 and pass to 444 (apache).
 
Top