Cloudflare template not working when there is an intermediate proxy

I’m not quite sure what’s going on here, but I’m still seeing Cloudflare IPs appear in the Discourse admin section for new user registration IPs and last access IPs even after having enabled the Cloudflare template.

I used the launcher to enter the app and verified that the /etc/nginx/conf.d/discourse.conf file has the following lines in it:

set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header CF-Connecting-IP;

However, I’m still seeing Last IP Address values like 172.68.133.64 (CloudflareIP which is covered in the above addresses) and still seeing CloudflareIPs in the log entries.

I did try running a service nginx reload which seems to have executed successfully, but I’m still seeing Cloudflare IPs.

Does anyone have any ideas for how I might debug this further and/or fix the problem?

Of course right after posting this, I found the issue. I forgot that my server setup had another intermediary proxy between Cloudflare and Discourse. That proxy was not setup to pass along the original IPs to Discourse.

Cloudflare instructions for restoring original IP in various web servers / proxies: https://support.cloudflare.com/hc/en-us/articles/200170786

Leaving this topic up in case anyone else is as forgetful as I am. :smiley:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.