Cloudflare Real-IP via Apache

Hey there, I operate a Discourse forum that’s gaining traction, and I’ve been searching for hours on how to forward people’s real IPs to Discourse, instead of Cloudflare’s.

Every single topic I’ve seen, people are asking about doing this with nginx, and people who aren’t end up being persuaded to move over to it. The problem is, the site I’m running uses Apache features I need, and rebuilding it under nginx is not worth the hassle.

Here’s my config right now:

RequestHeader set X-Real-IP "%{CF_CONNECTING_IP}e"
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

Unfortunately, I’ve done many actions on the forum, but my “last ip address” field is still Cloudflare’s. Is there anything obviously wrong with this? Or could it be a configuration issue with my Discourse container?

Edit: it was both, see sam’s reply and mine.

2 Likes

Since this is cloudflare you want to use the cloudflare pattern and pass through the header.

https://github.com/discourse/discourse_docker/blob/master/templates/cloudflare.template.yml#L16

So you want to pass CF-Connecting-IP through apache and then to mix in our cloudflare template.

5 Likes

Ah, silly mistake that I didn’t add the template and rebuild. I must need sleep. Thank you!

2 Likes

I did some more testing and realized there were a few other problems. For one, request headers are not exposed by default in Apache variables, so you must use the SetEnvIf directive.

And finally, I changed the proxy to use sockets. When using a simple HTTP proxy, it would still use the old Cloudflare IP. I added the web.socketed template in addition to the cloudflare one, and rebuilt.

Final config:

SetEnvIf CF-Connecting-IP (.*) real_ip=$1
RequestHeader set X-Real-IP %{real_ip}e
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / unix:/var/discourse/shared/standalone/nginx.http.sock|http://127.0.0.1/
ProxyPassReverse / unix:/var/discourse/shared/standalone/nginx.http.sock|http://127.0.0.1/

And now it works :smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.