Geekflare
[gtranslate]
Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Nginx  |  Last updated: April 9, 2021
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

How to Get Client IP from AWS, Google Cloud LB and Cloudflare in Nginx?

By
client-ip-aws-gcp-cloudflare

Setting up a web application in the cloud is always fun and exciting.

Recently, I launched a Geekflare Tools tool, which is hosted in AWS behind Cloudflare.

I am using the AWS application load balancer and Nginx as a web server. After making life, I went to see the access.log and noticed all requests were marked as coming from internal (load balancer) IP.

This is not good if you want to analyze your web server logs for visitor locations. I realized that I am missing or need to do some configuration changes to restore the client IP.

Are you in the same situation as I was?

Well, here is how you can get the client IP in your Nginx access logs.

Getting Visitor IP from AWS or Google Cloud LB

  • Login to your Nginx webserver
  • Go to the path where it’s installed (default location /etc/nginx)
  • Take a backup of nginx.conf file
  • Add the following under HTTP block
real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;
  • Restart the Nginx, and you should see the visitor’s IP in your access.log file

If you are behind Cloudflare, then you will see their IP instead of the client’s IP, so you got to do the below as well.

Getting Client IP from Cloudflare

Cloudflare is a great CDN and Security provider, and I absolutely love it. If you are using Cloudflare like me and would like to restore the visitor IP in the web server log, then here is how you can do it.

Assuming you are logged into the Nginx server

Take a backup of your site configuration file (usually here – /etc/nginx/sites-available/yourdomain)

Add the following at the beginning of the file

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
real_ip_header CF-Connecting-IP;

Note: You may want to validate the IP list from their official page.

Restart Nginx, and you should see the client IP now. This has helped me, and I hope you too.

Next, find out how you can implement secure headers using Cloudflare Workers.

  • Chandan Kumar
    Author
    As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Tagged as
Thanks to our Sponsors
More great readings on Nginx
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti
    Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Brightdata
    Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Monday.com
    Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder
    Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder