Symptoms
-
Plesk is running behind a Cloudflare CDN proxy or Google Cloud Load Balancing.
-
Internal IP address of load balancer, Plesk server or CDN proxy is displayed in domain logs (Domains > example.com > Logs) instead of the client device public IP (real visitor's IP):
Access 192.0.2.2 200 GET / HTTP/1.0
Cause
CDN Proxies and load balancers rewrite the origin IP address and specify the client's IP address in an additional HTTP header.
Resolution
- Log into the server via SSH
- Using the next command verify that the
remoteip_moduleApache module is enabled:# (apache2ctl -M || httpd -M) | grep remoteip_module
The output below means that
remoteip_modulemodule is enabled:remoteip_module (shared)
- If the
remoteip_moduleis not enabled, enable it:
Ubuntu/Debian-based OS:# a2enmod remoteip
RHEL-based OS:
Add the following line:LoadModule remoteip_module modules/mod_remoteip.so
to /etc/httpd/conf.modules.d/00-base.conf and restart httpd:
# systemctl restart httpd
Afterwards, apply one of the following solutions:
Warning: Since the real_ip_header for nginx and the RemoteIPHeader for Apache can be added only once in the entire web server configuration of the server, the directives should be added globally instead of locally for separate domains. That is also the reason why such a configuration can be added for only one CDN that is used for websites on the server.
Server-wide solution with Nginx enabled
-
Connect to the server via SSH.
-
Download and execute the next script in order to add the Nginx variables globally:
# curl -LO https://raw.githubusercontent.com/plesk/kb-scripts/master/cf-nginx-ip-passthrough/cf.sh && chmod 700 /root/cf.sh
-
Execute the script:
# bash cf.sh
Note: The script could be called at the required intervals using Plesk Scheduled Tasks.
Server-wide solution with Apache only enabled (no nginx)
-
Connect to the server via SSH
-
Make sure that
/etc/httpd/conf/httpd.conf(on Debian-based OS the path is/etc/apache2/apache2.conf) has the followingLogFormat:LogFormat "%a %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
-
Create a new configuration file:
On RHEL-based OS:/etc/httpd/conf.d/cloudflare.conf
On Debian-based OS:/etc/apache2/conf-enabled/cloudflare.conf -
Add Cloudflare IP addresses in the file created on step 3:
RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32 -
Restart Apache service:
-
For CentOSRHEL:
# systemctl restart httpd
-
For DebianUbuntu:
# systemctl restart apache2
-
Note: For additional information on proper HTTP headers with the client's IP address for non-listed services contact the support of the proxy/load-balancing service or its system administrator.
with