Search our site for answers
Help Docs Liquid Web Portal Domains and DNS Cloudflare Logging Real Visitor IPs with Cloudflare

Logging Real Visitor IPs with Cloudflare

Using CloudFlare? Your logs may show the wrong IP. Install the Apache module `mod_cloudflare` to log the correct visitor IP and prevent firewall blocks.
Cloudflare
2 min read

Since Cloudflare serves as a proxy, all visits to your website and web applications will, by default, be logged with the Cloudflare IP address — not the visitor’s actual IP address.  To remedy this, installing the Apache module mod_cloudflare will ensure that visitors’ actual IP addresses are logged and displayed.  This is why we recommend that you activate mod_cloudflare to accurately log website visitor IP addresses.

Without this step, your server’s firewall could block Cloudflare’s IP addresses, making your site inaccessible. If you need to check whether the module is already enabled or need assistance installing it, please open a Support Case and the Support team will be happy to help.

You’ll need to add Cloudflare to your website and configure Cloudflare DNS records before installing mod_cloudflare. This tutorial will specifically cover mod_cloudflare for Apache. You will need root-level SSH access to your server. If you don’t have root server access, don’t hesitate to contact the Most Helpful Humans in Hosting ™ for more help.

To install mod_remoteip on your Apache web server:

  1. Enable mod_remoteip by issuing the following command:
sudo a2enmod remoteip
  1. Update the site configuration to include RemoteIPHeader CF-Connecting-IP, e.g. /etc/apache2/sites-available/000-default.conf
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ServerName remoteip.andy.support
RemoteIPHeader CF-Connecting-IP
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
  1. Update combined LogFormat entry in apache.conf, replacing %h with %a in /etc/apache2/apache2.conf. For example, if your current LogFormat appeared as follows
LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" combined

you would update LogFormat to the following:

LogFormat "%a %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"" combined
  1. Define trusted proxy addresses by creating /etc/apache2/conf-available/remoteip.conf by entering the following code and Cloudflare IPs:
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 192.0.2.1 (example IP address)
RemoteIPTrustedProxy 192.0.2.2 (example IP address)

Repeat the RemoteIPTrustedProxy command for all Cloudflare IPs listed at the following URL:

  https://www.cloudflare.com/ips/

  1. Enable Apache configuration:
sudo a2enconf remoteip
Enabling conf remoteip.
To activate the new configuration, you need to run:
    service apache2 reload
  1. Test Apache configuration:
sudo apache2ctl configtest
Syntax OK
  1. Restart Apache:
sudo systemctl restart apache2

For more information and additional configurations or options, see Cloudflare’s Help Center.

Was this article helpful?