Cloudflare and IP logging

[i7Grendel]

I use Cloudflare to protect and speed up my website. The only drawback is that I can't properly log my users IPs. Cloudflare provides a way to bypass that, but it requires some unusual actions:

 

For Apache Users

 

If you update your httpd.conf file with the following module, your logs and anything that relies on your logs, will continue to work correctly.

 

Process: Install mod_cloudflare on your Apache http server.

 

Difficulty: Moderate

 

Requirements: ssh, root, gcc

 

1) Move the source file mod_cloudflare.c to your web server

 

2) Make sure that the command apxs or apxs2 is installed somewhere.

 

If you are running Ubuntu or Debian, this can be installed with

 

apt-get install apache2-prefork-dev

 

If you are running Fedora or CentOS, this can be installed with

 

yum install httpd-devel

 

3) Debian, Ubuntu and Fedora users should do the following as root, and skip step 4:

 

apxs2 -iac mod_cloudflare.c

 

4) As root, compile and install the module with

 

apxs -c -i mod_cloudflare.c

 

 

Make sure that the line LoadModule cloudflare_module /usr/lib/apache2/modules/mod_cloudflare.so Is somewhere in your http.conf file. Replace /usr/lib/apache2/modules/ with the correct path as applicable.

 

5) Restart apache

 

6) Lastly, make sure that mod_cloudflare is working by tailing your access.log file.

 

You should see that the remote_ip field here is no longer that of the CloudFlare CDN (204.93.173.0 through 255) but is instead that of actual connecting users.

 

Will I be able to do all this?

[Guest xaav]

Will I be able to do all this?

 

No. You will need to open a topic in customer service for this.

[Krydos]

As a regular user you definitely don't have access to enable modules in apache and recompile, however if you are interested in seeing what our root administrator has to say about this potential installation I can escalate this thread to bring it to his attention. There is a chance that he will add it, especially if this upgrade could benefit many users.

[Piotr GRD]

And all of these is only needed for server side logs.

 

If you care more for logs made by software that you use - some forum/CMS/blog/whatever script - you could get the real visitor IP by doing some small edits in these scripts. Some scripts may already be coded to do what you need.

 

If you code by yourself you may find that Cloudflare's proxy most likely (I can not be sure as I didn't ever use CloudFlare for any of my websites) introduce itself inside of HTTP_VIA and the real visitor IP is most likely provided in HTTP_X_FORWARDED_FOR. I can only guess that mentioned above Apache module is rewriting it into REMOTE_ADDR if detect that CloudFlare's proxy is in use.

[i7Grendel]

I'm using PHP-Fusion, which tries to logsthe IP of members, but currently only logs Cloudflare's IPs. I've looked through the files to find any way in which I could circumvent the logging issue, but I was unsuccesful.

 

Oh, and I'd really appreciate it if this would be escalated, because it would benefit all Cloudflare users, which I hope is a growing number because of the great features of Cloudflare.

[Piotr GRD]

I didn't use PHP-Fusion ever, I don't know the code, I have just spent around 3 minutes on the code (PHP-Fusion v7) analysis so I may be wrong, but this looks like may be the solution for you...

 

 

In latest version - v7.02.03.Full - it's inside the file "maincore.php" in line 80. In different versions it may be different line number or even in different file. There is something like:

define("FUSION_IP", $_SERVER['REMOTE_ADDR']);

 

What if you'll replace this line with something like:

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
define("FUSION_IP", $_SERVER['HTTP_X_FORWARDED_FOR']);
else
define("FUSION_IP", $_SERVER['REMOTE_ADDR']);

 

 

!!!

Remember to always have a backup of original file when doing a modification of anything.

This may not work at all or as expected, as I wrote - I spent just three minutes on a big 10+ MB, 1800+ files script.

Even if this will work - there could exist some known issues with it (when multiple proxies are in use) so tell me if it works or not to modify the code further.

!!!

 

 

But most of all:

Could you create such PHP file:

<?php
echo 'REMOTE_ADDR: ' . $_SERVER['REMOTE_ADDR'] . '<br/>
HTTP_X_FORWARDED_FOR: ' . $_SERVER['HTTP_X_FORWARDED_FOR'] . '<br/>
HTTP_VIA: ' . $_SERVER['HTTP_VIA'];
?>

Upload it into your website and access it? If you'll find that REMOTE_ADDR is CloudFlare's IP and HTTP_X_FORWARDED_FOR is your own original IP then this is what I've expected. Knowing what is the content of HTTP_VIA may help to create better modification that will work only for CloudFlare's proxies and not for other proxies.

[i7Grendel]

Ok. The code Piotr gave me showed this:

 

REMOTE_ADDR: 173.245.53.xxx
HTTP_X_FORWARDED_FOR: 82.73.10.xx
HTTP_VIA:

 

The REMOTE_ADDR is indeed Cloudflare's IP and the FORWARDED thingy is mine (the xx are for censoring).

 

I've edited maincore.php as Piotr suggested and my site doesn't show any errors, so I assume it's working fine. However, I'll only know the effect when a new user registers, because the (wrong) IPs of existing users are still in the database.

 

Ok. The code Piotr gave me showed this:

 

REMOTE_ADDR: 173.245.53.xxx
HTTP_X_FORWARDED_FOR: 82.73.10.xx
HTTP_VIA:

 

The REMOTE_ADDR is indeed Cloudflare's IP and the FORWARDED thingy is mine (the xx are for censoring).

 

I've edited maincore.php as Piotr suggested and my site doesn't show any errors, so I assume it's working fine. However, I'll only know the effect when a new user registers, because the (wrong) IPs of existing users are still in the database.

[Piotr GRD]

Doesn't PHP-Fusion also log the IPs with posts on the forums etc. so you will know sooner? Anyway.

 

 

Two things you need to know, though.

 

- If multiple proxies will be in use - so at least one more (transparent, not anonymous) apart of CloudFlare's proxy then HTTP_X_FORWARDED_FOR will contain comma separated multiple IPs, every following proxy will add to which IP it is forwarding at the end of the list. In such case PHP-Fusion may or may not have problems with it, depends how it's coded to handle eventual bans, IP comparison etc. In case of problems we could explode the IPs from this list and use only one. Any PHP programmer will help you with this.

 

- HTTP_X_FORWARDED_FOR is sent in HTTP headers by the client. It can be very easily spoofed, you have no any possibility to check if the IP provided is a real one. So as long as you can more or less trust that CloudFlare's proxy won't cheat you with this, but you can not be 100% sure if the other IPs provided by other proxies (or even regular clients, but especially various malicious bots) are real. You can't do much or anything with this, though.

[i7Grendel]

Thank you, Piotr, for your support. I'm not planning to use more proxies, and I have enough trust in Cloudflare to send me a proper forwarded IP that the current setup will work for now. If I have any more problems, I will ask a friend (an excellent PHP programmer) for help. Thank you again.