CloudFlare : Another way to get visitor's real IP address




Problem:

Your web server's log such as NGINX's access.log is showing unusually high and intense query from a couple of IP addresses. However, when you trace the IP address origin, it shows that the IP address belongs to CloudFlare. How to get the real IP address behind the CloudFlare's IP address?

Diagnostic:

Your web server log file is showing CloudFlare's IP addresses instead of real IP addresses is because your web server is utilizing CloudFlare's services. Those IP addresses are CloudFlare's edge(proxy) servers intended for caching and speeding up load time at the visitors' end. ( see https://support.cloudflare.com/hc/en-us/articles/200170786-Why-do-my-server-logs-show-Cloudflare-s-IPs-using-Cloudflare- )

IMPORTANT: IF you are looking to ban the visitor's IP address, DO NOT ban the CloudFlare's IP address.... because doing so will block legitimate access by real(human) visitors. Find out the REAL IP address first and ban the REAL IP address.

Solution:

NOTE: CloudFlare's support has good knowledge on this and their solution at https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs requires an additional module for NGINX. Below is my own solution that does not require re-compilation for NGINX to get the visitors' real IP address.

First, ssh to your web server and tail -f the server's visitor access log file. For example, in my own NGINX's configuration:

tail -f /var/log/nginx/access.log

Second, turn off CloudFlare's caching. Go to the DNS module in CloudFlare and click on the orange cloud symbol to turn them to gray. This will cause all traffic to go to your server directly without CloudFlare filtering the traffics.

cloudflare dns to disable caching and get real IP address

Now, go back to the tail -f access.log and wait for a while. Soon, you will start to see that the visitor's real IP address appearing in the log file.

How to tell if an IP address belongs to CloudFlare?

Simple, for example, I'm getting unusually high traffic from 162.158.63.29 and to verify if 162.158.63.29 belongs to CloudFlare, I will use www.ip-tracker.org to trace the origin.

http://www.ip-tracker.org/locator/ip-lookup.php?ip=162.158.63.29

and it shows that the IP address organization is CloudFlare. This is not what we want. After disabling the CloudFlare's caching, soon you will notice the IP address change to none CloudFlare's IP address.

Once you've identified the real IP address, you can choose to block the IP address with your Linux or Windows's IP firewall. For example, I'm using Linux and this is the command to block the IP address

iptables -A INPUT -s <insert_IP_address_here> -j DROP

However, this only works when your server is naked and without CloudFlare's protection. Once you enable back CloudFlare by clicking on the gray clouds in DNS module and turning them back to orange clouds, the blocked IP address will still be able to access your server.

To fix this issue, you will need to configure the IP Firewall as well. Go to CloudFlare IP Firewall module and add the real visitors' IP address that you want to block.

For example:

configure cloudflare IP firewall to block IP address

Once you've added the IP address that you want to block, remember to change the Security Level to I'm under attack mode. This should configure CloudFlare to block the offending IP address.

Hope this helps!

Reference:

https://support.cloudflare.com/hc/en-us/articles/200170786-Why-do-my-server-logs-show-Cloudflare-s-IPs-using-Cloudflare-

  See also : Golang : Get host name or domain name from IP address





By Adam Ng

IF you gain some knowledge or the information here solved your programming problem. Please consider donating to the less fortunate or some charities that you like. Apart from donation, planting trees, volunteering or reducing your carbon footprint will be great too.


Advertisement