Symptoms
-
Plesk is running behind a Cloudflare or Google Cloud Load Balancing.
-
Internal IP address of load balancer or proxy is displayed in domain logs (Domains > example.com > Logs) instead of the client's IP (real visitor's IP):
Access 192.0.2.2 200 GET / HTTP/1.0
Cause
Proxies and load balancers rewrite the origin IP address and specify the client's IP address in an additional HTTP header.
Resolution
- Log into the server via SSH.
- Using the next command verify that the
remoteip_moduleApache module is enabled:# (apache2ctl -M || httpd -M) | grep remoteip_module
The output below means that
remoteip_modulemodule is enabled:remoteip_module (shared)
Then apply one of the following solutions:
Solution for a single domain with Nginx enabled
-
Go to Domains > example.com > Apache & nginx Settings, and add the following content to the Additional nginx directives:
-
For Cloudflare:
real_ip_header CF-Connecting-IP;
-
For Cloudflare Load Balancing:
set_real_ip_from 130.0.0.0/8;
set_real_ip_from 35.0.0.0/8;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header X-Forwarded-For;
real_ip_recursive on;Note: It might be required to add other IP address ranges to the set_real_ip_from based on the Google Compute Engine zone used.
-
Solution for a single domain with Apache only
-
Go to Domains > example.com > Apache & Nginx Settings and add the following content to both Additional directives for HTTP and Additional directives for HTTPS:
Note: The remoteip module should be enabled in Tools & Settings > Apache Web Server
-
For Cloudflare:
RemoteIPHeader CF-connecting-IP
-
For Google Cloud Load Balancing:
RemoteIPHeader X-Forwarded-For
RemoteIPexternalProxy 130.0.0.0/8
RemoteIPInternalProxy 35.0.0.0/8
-
Server-wide solution with Nginx enabled
-
Connect to the server via SSH.
-
Download and execute the next script in order to add the Nginx variables globally:
# curl -LO https://raw.githubusercontent.com/plesk/kb-scripts/master/cf-nginx-ip-passthrough/cf.sh && chmod 700 /root/cf.sh
-
Execute the script:
# bash cf.sh
Note: The script could be called at the required intervals using Plesk Scheduled Tasks.
Server-wide solution with Apache only
-
Connect to the server via SSH.
-
Make sure that
/etc/httpd/conf/httpd.conf(on Debian-based OS the path is/etc/apache2/apache2.conf) has the followingLogFormat:LogFormat "%a %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
-
Create a new configuration file:
On Rhel-based OS:/etc/httpd/conf.d/cloudflare.conf
On Debian-based OS:/etc/apache2/conf-enabled/cloudflare.conf -
Add Cloudflare IP addresses in the file created on step 3:
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy…
with