Restoring Visitor IPs on Amazon Linux 2023
When you use Cloudflare as a reverse proxy in front of Apache, the IP address recorded by the server is Cloudflare’s proxy IP rather than the original visitor’s IP. In Amazon Linux 2023, mod_remoteip is installed and running by default, so we only need to update the configuration, log format, and virtual host settings to properly restore and log the original client IP.
From my personal experience, I initially struggled with installing mod_remoteip.so in Amazon Linux 2023, as I followed some guides that recommended installing it manually. However, I later discovered that mod_remoteip is already installed and running by default in Amazon Linux 2023. Another challenge I encountered was that the systemctl commands provided in Cloudflare’s official guidelines did not work on Amazon Linux 2023. The system setup is slightly different from what those guides suggest, but with a few adjustments, we can still easily configure the server to restore the original visitor IPs.
Step 1: Modify the remoteip.conf File
Amazon Linux 2023 has a dedicated configuration file for the mod_remoteip module located at /etc/httpd/conf.d/remoteip.conf. We will edit this file to include Cloudflare’s trusted proxy IPs.
# Open the remoteip.conf file sudo vi /etc/httpd/conf.d/remoteip.conf
Add the following configuration to use the CF-Connecting-IP header from Cloudflare and set up Cloudflare’s IP ranges as trusted proxies:
# Use CF-Connecting-IP header from Cloudflare RemoteIPHeader CF-Connecting-IP # Trust Cloudflare's IP ranges (both IPv4 and IPv6) RemoteIPTrustedProxy 173.245.48.0/20 RemoteIPTrustedProxy 103.21.244.0/22 RemoteIPTrustedProxy 103.22.200.0/22 RemoteIPTrustedProxy 103.31.4.0/22 RemoteIPTrustedProxy 141.101.64.0/18 RemoteIPTrustedProxy 108.162.192.0/18 RemoteIPTrustedProxy 190.93.240.0/20 RemoteIPTrustedProxy 188.114.96.0/20 RemoteIPTrustedProxy 197.234.240.0/22 RemoteIPTrustedProxy 198.41.128.0/17 RemoteIPTrustedProxy 162.158.0.0/15 RemoteIPTrustedProxy 104.16.0.0/12 RemoteIPTrustedProxy 172.64.0.0/13 RemoteIPTrustedProxy 131.0.72.0/22 # Cloudflare IPv6 ranges RemoteIPTrustedProxy 2400:cb00::/32 RemoteIPTrustedProxy 2606:4700::/32 RemoteIPTrustedProxy 2803:f800::/32 RemoteIPTrustedProxy 2405:b500::/32 RemoteIPTrustedProxy 2405:8100::/32 RemoteIPTrustedProxy 2a06:98c0::/29 RemoteIPTrustedProxy 2c0f:f248::/32
Save and close the file by typing :wq.
Step 2: Modify the Log Format in httpd.conf
Next, we need to update the Apache log format so that it records the original client IP instead of the Cloudflare proxy IP.
# Open the main Apache configuration file sudo vi /etc/httpd/conf/httpd.conf
Find the LogFormat directive and modify it to use %a, which captures the remote (client) IP address after mod_remoteip has processed it:
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrariwise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
#CustomLog "logs/access_log" common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
#
CustomLog "logs/access_log" combined
</IfModule>
Save and close the file.
Step 3: Modify Virtual Host SSL Configuration
If you’re using SSL, your Let’s Encrypt configuration for the domain (e.g., your-website.com) is likely stored in the SSL virtual host file. You need to ensure the logging and IP configuration applies to SSL requests as well.
# Open the SSL configuration file sudo vi /etc/httpd/conf.d/your-website.com-le-ssl.conf
In this file, ensure that you are using the updated log format and that the RemoteIPHeader settings are respected for SSL traffic. Add or modify the CustomLog directive to use the combined log format:
<IfModule mod_ssl.c>
<VirtualHost *:443>
# Your existing configuration here
CustomLog /var/log/httpd/access.log combined
<IfModule logio_module>
CustomLog /var/log/httpd/access.log combinedio
</IfModule>
# Your existing configuration here
</VirtualHost>
</IfModule>
Save and close the file.
Step 4: Restart Apache
After making all these changes, restart Apache to apply the new configuration:
sudo systemctl restart httpd
Step 5: Verify the Configuration
Check the Apache access log to ensure that the correct client IP (from CF-Connecting-IP) is being logged:
sudo tail -f /var/log/httpd/access_log
You should see the visitor’s real IP address rather than Cloudflare’s proxy IP.
Conclusion
With these simple steps, you can restore the original visitor IP in your Apache logs on Amazon Linux 2023. By modifying remoteip.conf, adjusting the log format in httpd.conf, and updating the SSL virtual host configuration, you ensure that both HTTP and HTTPS requests record the correct client IP.
For more information on restoring original visitor IPs using Cloudflare, refer to the official documentation here: