Suggestion for Cloudflare template to get real IP from users

hi all,

I just found out the long and hard way about Cloudflare’s real_ip_header CF-Connecting-IP; setting in nginx…

I have a fairly complicated setup with nginx proxy manager being in it’s own docker image (I’m using SWAG from linuxserver.io, which is awesome BTW), so the connection path looks like this:
User -> Cloudflare -> Server(1st docker container: Nginx -> 2nd docker container: Discourse)

I have both docker containers in the same docker network, so they communicate; that’s fine.
I had a real issue trying to get the user’s origin IP in the Discourse logs. I read up all the nice threads here and added the cloudflare template to my app.yml file, but it still didn’t work…

After pulling my hair out, I realized that the issue was not the Cloudflare template per se, but the fact that the Discourse container was getting the IP address from the NGINX container and I had to add the docker network IP CIDR to the set_real_ip_from like this:
set_real_ip_from 172.18.0.0/16;

In order to help future hosters, would it be possible to add this line to the cloudflare template? The IP range 172.18.0.0/16 is anyway private, so even if you don’t have NPM in a docker container, it will not hurt to add this range.

My suggestion would be to change this line in cloudflare.template.yml:
sed -i "/sendfile on;/a $CONTENTS\nreal_ip_header CF-Connecting-IP;" /etc/nginx/conf.d/discourse.conf
to this line:
sed -i "/sendfile on;/a set_real_ip_from 172.18.0.0/16;\n$CONTENTS\nreal_ip_header CF-Connecting-IP;" /etc/nginx/conf.d/discourse.conf

What do you think?

There are a bunch of topics about using a reverse proxy that include how to do that. Not everyone who uses cloudflare uses a reverse proxy.

A reverse proxy template could be good though, as I have to look it up every time I set it up without my scripts.

Right. And the inverse is true too: not everyone who uses a reverse proxy uses cloudflare :wink:

This suggestion is really destined to make life easier for people who use cloudflare. It wouldn’t change a thing for those that don’t use a reverse proxy in docker, but could potentially save hours of searching for the answer to a simple problem.

1 Like

People who use cloudflare are likely to have a hard life. You can search here and find lots of examples of how. Installing the template is just a piece of the problems you might have, and the easiest to fix. (I’d recommend that you use a real CDN like bunny.net which is cheap–but not free–and easy to configure, but that’s not what you asked.)

Of course, your issue had nothing to do with cloudflare, but the reverse proxy, so searching for cloudflare was likely no help!

Still, adding a few more stock templates like reverse proxy (and the one that I really want–one to precompile assets and push them to S3) is a good idea.

Good luck.

1 Like