CloudFlare : Another way to get visitor's real IP address
Problem:
Your web server's log such as NGINX's access.log
is showing unusually high and intense query from a couple of IP addresses. However, when you trace the IP address origin, it shows that the IP address belongs to CloudFlare. How to get the real IP address behind the CloudFlare's IP address?
Diagnostic:
Your web server log file is showing CloudFlare's IP addresses instead of real IP addresses is because your web server is utilizing CloudFlare's services. Those IP addresses are CloudFlare's edge(proxy) servers intended for caching and speeding up load time at the visitors' end. ( see https://support.cloudflare.com/hc/en-us/articles/200170786-Why-do-my-server-logs-show-Cloudflare-s-IPs-using-Cloudflare- )
IMPORTANT: IF you are looking to ban the visitor's IP address, DO NOT ban the CloudFlare's IP address.... because doing so will block legitimate access by real(human) visitors. Find out the REAL IP address first and ban the REAL IP address.
Solution:
NOTE: CloudFlare's support has good knowledge on this and their solution at https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs requires an additional module for NGINX. Below is my own solution that does not require re-compilation for NGINX to get the visitors' real IP address.
First, ssh
to your web server and tail -f
the server's visitor access log file. For example, in my own NGINX's configuration:
tail -f /var/log/nginx/access.log
Second, turn off CloudFlare's caching. Go to the DNS
module in CloudFlare and click on the orange cloud symbol to turn them to gray. This will cause all traffic to go to your server directly without CloudFlare filtering the traffics.
Now, go back to the tail -f access.log
and wait for a while. Soon, you will start to see that the visitor's real IP address appearing in the log file.
How to tell if an IP address belongs to CloudFlare?
Simple, for example, I'm getting unusually high traffic from 162.158.63.29 and to verify if 162.158.63.29 belongs to CloudFlare, I will use www.ip-tracker.org to trace the origin.
http://www.ip-tracker.org/locator/ip-lookup.php?ip=162.158.63.29
and it shows that the IP address organization is CloudFlare. This is not what we want. After disabling the CloudFlare's caching, soon you will notice the IP address change to none CloudFlare's IP address.
Once you've identified the real IP address, you can choose to block the IP address with your Linux or Windows's IP firewall. For example, I'm using Linux and this is the command to block the IP address
iptables -A INPUT -s <insert_IP_address_here> -j DROP
However, this only works when your server is naked and without CloudFlare's protection. Once you enable back CloudFlare by clicking on the gray clouds in DNS
module and turning them back to orange clouds, the blocked IP address will still be able to access your server.
To fix this issue, you will need to configure the IP Firewall as well. Go to CloudFlare IP Firewall module and add the real visitors' IP address that you want to block.
For example:
Once you've added the IP address that you want to block, remember to change the Security Level
to I'm under attack
mode. This should configure CloudFlare to block the offending IP address.
Hope this helps!
Reference:
See also : Golang : Get host name or domain name from IP address
By Adam Ng
IF you gain some knowledge or the information here solved your programming problem. Please consider donating to the less fortunate or some charities that you like. Apart from donation, planting trees, volunteering or reducing your carbon footprint will be great too.
Advertisement
Tutorials
+20.5k PHP : Convert(cast) int to double/float
+9.7k Golang : Sort and reverse sort a slice of integers
+12.3k Golang : Arithmetic operation with numerical slices or arrays example
+13.7k Golang : convert rune to unicode hexadecimal value and back to rune character
+7.7k Golang : What fmt.Println() can do and println() cannot do
+10.9k Golang : Roll the dice example
+12.9k CodeIgniter : "Fatal error: Cannot use object of type stdClass as array" message
+37.4k Golang : Comparing date or timestamp
+50.5k Golang : Disable security check for HTTPS(SSL) with bad or expired certificate
+5.8k PageSpeed : Clear or flush cache on web server
+7.6k Golang : Getting Echo framework StartAutoTLS to work