0

I need to be able to know the Cloudflare IP for connections made to my server.

This is so I can determine if a connection is made through Tor. To do that, I need to send the tool the IP that the client CONNECTED TO. That is NOT my server's IP, that is the IP of the Cloudflare entry proxy, which is why I'm trying to pass the Cloudflare IP through fastcgi.
https://www.torproject.org/projects/tordnsel.html.en

I have a block that looks like this:

# Preserve Cloudflare IP
fastcgi_param CF-Proxy-IP $remote_addr;
fastcgi_param TEST "abc123";

# CloudFlare
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
real_ip_header CF-Connecting-IP;

But it's not going through and the dummy headers I set do not get seen in phpinfo(). I'm not sure what else I can do because after the real_ip_header goes through, all original CF data is lost.

Josh
  • 155
  • 8
  • CloudFlare doesn't run any Tor exit nodes. So I don't think you need to do anything else. – Michael Hampton Apr 23 '16 at 22:31
  • No, but that's not what I'm asking. I need to know the Cloudflare IP to determine connecting IPs that can access my server. – Josh Apr 23 '16 at 22:32
  • Say what? What does CloudFlare's IP address have to do with it? – Michael Hampton Apr 23 '16 at 22:33
  • Because clients connecting to my server through tor are not connecting to my IP. They are connecting to Cloudflare's. Ergo, I need to check it against Cloudflare's IP. That is why I am trying to store Cloudflare's IP. – Josh Apr 23 '16 at 22:35
  • They connect to CloudFlare, and after they finish that annoying captcha, CloudFlare sends you their IP in the `CF-Connecting-IP` header. That still doesn't explain why you want CloudFlare's IP! I thought you were trying to determine if the user was a Tor user. – Michael Hampton Apr 23 '16 at 22:36
  • Please read my OP! I am trying to use a Tor tool to see what Tor nodes can reach my server. To do that, I need to send the tool the IP that the CLIENT CONNECTED TO. That is NOT my server's IP, that is the IP of the Cloudflare entry proxy! – Josh Apr 23 '16 at 22:37
  • That was not actually written in the OP! Anyway, now that I know what you're actually looking for, the question is answerable. – Michael Hampton Apr 23 '16 at 22:38

1 Answers1

2

When you use the nginx real ip module, nginx places the actual connecting IP address in the $realip_remote_addr variable when it does the IP address substitution. So you can pass this to your application by setting the header:

fastcgi_param CF-Proxy-IP $realip_remote_addr;

This variable requires nginx 1.9.7 or later.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • You're a legend. (Though, protip: Backup NGINX config files before updating manually to 1.9.5 ;) ) – Josh Apr 24 '16 at 05:54