[GH-ISSUE #1358] X-forwared-for shows Cloudflare IP instead of real IP #1077

New issue

Open

opened 2026-02-26 06:35:40 +03:00 by kerem · 21 comments

kerem commented 2026-02-26 06:35:40 +03:00

Owner

Copy link

Originally created by @bernikr on GitHub (Aug 28, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1358

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
When using Cloudflare infront of NPM, NPM populates the X-forwarded-for header with the cloudflare IP instead of the real IP that cloudflare provices in its X-forwarded-for header. I would expect NPM to check if the source IP is one of cloudflare's and trust the X-forwarded-for header in that case. This seemd to be a feature in 2.6.0 but broken in all verisons afterwards.

Nginx Proxy Manager Version
2.9.8

To Reproduce
Set up a cloudflare domain and let it point to NPM. If you now navigate to the site the server behind NPM will get one of cloudflare's IPs as the X-forwarded-for header instead of the client IP

Expected behavior
Show the real client IP that cloudflare reports in the X-forwarded-for header.

Operating System
Synology NAS

Additional context
The closed issues #112 and #811 both suggest using the following settings as a workaround:

real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

This is however a major security risk as it doesnt check if the request is actually coming from cloudflare. It allows anyone with knowledge of your IP to send requests pretending to be from cloudflare with an CF-Connecting-IP header set to any IP they want, (including lan ips such as 10.0.0.1) possibly circumventing any IP based security measures.

Originally created by @bernikr on GitHub (Aug 28, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1358 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** When using Cloudflare infront of NPM, NPM populates the `X-forwarded-for` header with the cloudflare IP instead of the real IP that cloudflare provices in its `X-forwarded-for` header. I would expect NPM to check if the source IP is one of cloudflare's and trust the `X-forwarded-for` header in that case. This seemd to be a feature in `2.6.0` but broken in all verisons afterwards. **Nginx Proxy Manager Version** `2.9.8` **To Reproduce** Set up a cloudflare domain and let it point to NPM. If you now navigate to the site the server behind NPM will get one of cloudflare's IPs as the `X-forwarded-for` header instead of the client IP **Expected behavior** Show the real client IP that cloudflare reports in the `X-forwarded-for` header. **Operating System** Synology NAS **Additional context** The closed issues #112 and #811 both suggest using the following settings as a workaround: ``` real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; ``` This is however a **major security risk** as it doesnt check if the request is actually coming from cloudflare. It allows anyone with knowledge of your IP to send requests pretending to be from cloudflare with an `CF-Connecting-IP` header set to any IP they want, (including lan ips such as 10.0.0.1) possibly circumventing any IP based security measures.

kerem added the

bug

label 2026-02-26 06:35:40 +03:00

kerem commented 2026-02-26 06:35:40 +03:00

Author

Owner

Copy link

@schevenin commented on GitHub (Sep 4, 2021):

Use v2.6.0 is what I found in my #811

<!-- gh-comment-id:912897722 --> @schevenin commented on GitHub (Sep 4, 2021): Use v2.6.0 is what I found in my #811

kerem commented 2026-02-26 06:35:40 +03:00

Author

Owner

Copy link

@TritonB7 commented on GitHub (Jan 21, 2022):

Found the following:

set_real_ip_from defines trusted addresses that are known to send correct replacement addresses.
Source: https://nginx.org/en/docs/http/ngx_http_realip_module.html

nginx configuration file snippet (IPv4 only):

set_real_ip_from    03.21.244.0/22;
set_real_ip_from    103.22.200.0/22;
set_real_ip_from    103.31.4.0/22;
set_real_ip_from    104.16.0.0/13;
set_real_ip_from    104.24.0.0/14;
set_real_ip_from    108.162.192.0/18;
set_real_ip_from    131.0.72.0/22;
set_real_ip_from    141.101.64.0/18;
set_real_ip_from    162.158.0.0/15;
set_real_ip_from    172.64.0.0/13;
set_real_ip_from    173.245.48.0/20;
set_real_ip_from    188.114.96.0/20;
set_real_ip_from    190.93.240.0/20;
set_real_ip_from    197.234.240.0/22;
set_real_ip_from    198.41.128.0/17;

#use any of the following two

real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

Cloudflare Documentation:
https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

Cloudflare IPs:
https://www.cloudflare.com/ips

<!-- gh-comment-id:1018630893 --> @TritonB7 commented on GitHub (Jan 21, 2022): Found the following: `set_real_ip_from` defines trusted addresses that are known to send correct replacement addresses. Source: https://nginx.org/en/docs/http/ngx_http_realip_module.html nginx configuration file snippet (IPv4 only): ``` set_real_ip_from 03.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/13; set_real_ip_from 104.24.0.0/14; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; #use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; ``` Cloudflare Documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs Cloudflare IPs: https://www.cloudflare.com/ips

kerem commented 2026-02-26 06:35:40 +03:00

Author

Owner

Copy link

@gmcinalli commented on GitHub (Jan 21, 2022):

Awesome @TritonB7, I've tried it and it seems to work!

<!-- gh-comment-id:1018712947 --> @gmcinalli commented on GitHub (Jan 21, 2022): Awesome @TritonB7, I've tried it and it seems to work!

kerem commented 2026-02-26 06:35:40 +03:00

Author

Owner

Copy link

@ctrlbrk42 commented on GitHub (Feb 24, 2022):

Is this still not automatic/internal to NPM v2.9.16?

I am migrating to NPM. Previously, I was using this on my own config:

#!/bin/bash echo "#Cloudflare" > /var/www/nginx/cloudflare.conf; for i in $(curl https://www.cloudflare.com/ips-v4); do echo "set_real_ip_from $i;" >> /var/www/nginx/cloudflare.conf; done echo "real_ip_header CF-Connecting-IP;" >> /var/www/nginx/cloudflare.conf;

Not ideal but hacky enough to get the job done.

I landed on this thread because am experiencing this issue with my upstream behind NPM, it's not logging the correct IP where it was pre-NPM.

<!-- gh-comment-id:1050311194 --> @ctrlbrk42 commented on GitHub (Feb 24, 2022): Is this still not automatic/internal to NPM `v2.9.16`? I am migrating to NPM. Previously, I was using this on my own config: `#!/bin/bash echo "#Cloudflare" > /var/www/nginx/cloudflare.conf; for i in $(curl https://www.cloudflare.com/ips-v4); do echo "set_real_ip_from $i;" >> /var/www/nginx/cloudflare.conf; done echo "real_ip_header CF-Connecting-IP;" >> /var/www/nginx/cloudflare.conf;` Not ideal but hacky enough to get the job done. I landed on this thread because am experiencing this issue with my upstream behind NPM, it's not logging the correct IP where it was pre-NPM.

kerem commented 2026-02-26 06:35:40 +03:00

Author

Owner

Copy link

@punksinatra commented on GitHub (Mar 15, 2022):

Is this still not automatic/internal to NPM v2.9.16?

I am migrating to NPM. Previously, I was using this on my own config:

#!/bin/bash echo "#Cloudflare" > /var/www/nginx/cloudflare.conf; for i in $(curl https://www.cloudflare.com/ips-v4); do echo "set_real_ip_from $i;" >> /var/www/nginx/cloudflare.conf; done echo "real_ip_header CF-Connecting-IP;" >> /var/www/nginx/cloudflare.conf;

Not ideal but hacky enough to get the job done.

I landed on this thread because am experiencing this issue with my upstream behind NPM, it's not logging the correct IP where it was pre-NPM.

Not sure if you have fixed this but I saw something here 811 check the post by techc0de maybe you can try it.

<!-- gh-comment-id:1068407416 --> @punksinatra commented on GitHub (Mar 15, 2022): > Is this still not automatic/internal to NPM `v2.9.16`? > > I am migrating to NPM. Previously, I was using this on my own config: > > `#!/bin/bash echo "#Cloudflare" > /var/www/nginx/cloudflare.conf; for i in $(curl https://www.cloudflare.com/ips-v4); do echo "set_real_ip_from $i;" >> /var/www/nginx/cloudflare.conf; done echo "real_ip_header CF-Connecting-IP;" >> /var/www/nginx/cloudflare.conf;` > > Not ideal but hacky enough to get the job done. > > I landed on this thread because am experiencing this issue with my upstream behind NPM, it's not logging the correct IP where it was pre-NPM. Not sure if you have fixed this but I saw something here [811](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/811#issuecomment-801895697) check the post by techc0de maybe you can try it.

kerem commented 2026-02-26 06:35:40 +03:00

Author

Owner

Copy link

@ctrlbrk42 commented on GitHub (Mar 15, 2022):

Is this still not automatic/internal to NPM v2.9.16?

I am migrating to NPM. Previously, I was using this on my own config:

#!/bin/bash echo "#Cloudflare" > /var/www/nginx/cloudflare.conf; for i in $(curl https://www.cloudflare.com/ips-v4); do echo "set_real_ip_from $i;" >> /var/www/nginx/cloudflare.conf; done echo "real_ip_header CF-Connecting-IP;" >> /var/www/nginx/cloudflare.conf;

Not ideal but hacky enough to get the job done.

I landed on this thread because am experiencing this issue with my upstream behind NPM, it's not logging the correct IP where it was pre-NPM.

Not sure if you have fixed this but I saw something here 811 check the post by techc0de maybe you can try it.

I switched to Caddy for this particular project.

<!-- gh-comment-id:1068430261 --> @ctrlbrk42 commented on GitHub (Mar 15, 2022): > > Is this still not automatic/internal to NPM `v2.9.16`? > > > > I am migrating to NPM. Previously, I was using this on my own config: > > > > `#!/bin/bash echo "#Cloudflare" > /var/www/nginx/cloudflare.conf; for i in $(curl https://www.cloudflare.com/ips-v4); do echo "set_real_ip_from $i;" >> /var/www/nginx/cloudflare.conf; done echo "real_ip_header CF-Connecting-IP;" >> /var/www/nginx/cloudflare.conf;` > > > > Not ideal but hacky enough to get the job done. > > > > I landed on this thread because am experiencing this issue with my upstream behind NPM, it's not logging the correct IP where it was pre-NPM. > > Not sure if you have fixed this but I saw something here [811](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/811#issuecomment-801895697) check the post by techc0de maybe you can try it. > > I switched to Caddy for this particular project.

kerem commented 2026-02-26 06:35:40 +03:00

Author

Owner

Copy link

@bioszombie commented on GitHub (Feb 3, 2023):

Awesome @TritonB7, I've tried it and it seems to work!

Where did you update this? In the GUI or in the compose file?

<!-- gh-comment-id:1414629561 --> @bioszombie commented on GitHub (Feb 3, 2023): > Awesome @TritonB7, I've tried it and it seems to work! Where did you update this? In the GUI or in the compose file?

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@gmcinalli commented on GitHub (Feb 3, 2023):

@bioszombie “Custom Nginx Configuration” field in the “Advanced” tab of the proxy host editing modal on the GUI.

<!-- gh-comment-id:1415039024 --> @gmcinalli commented on GitHub (Feb 3, 2023): @bioszombie “Custom Nginx Configuration” field in the “Advanced” tab of the proxy host editing modal on the GUI.

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@bioszombie commented on GitHub (Feb 3, 2023):

@bioszombie “Custom Nginx Configuration” field in the “Advanced” tab of the proxy host editing modal on the GUI.

Thank you. That worked!

<!-- gh-comment-id:1415816639 --> @bioszombie commented on GitHub (Feb 3, 2023): > @bioszombie “Custom Nginx Configuration” field in the “Advanced” tab of the proxy host editing modal on the GUI. Thank you. That worked!

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@wdolan commented on GitHub (Mar 1, 2023):

I am currently trying to get this working with Guacamole and can't seem to figure it out as that isn't working.
I am trying with the below and it doesn't seem to be picking up the remote ip but the ip address of Cloudflare that it is routing through.
Does this look correct? I also tried adding a copy of the real_ip_header line under the location section which made no difference.
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;
location / {
proxy_pass http://10.1.11.3:9998/guacamole/;
proxy_cookie_path /guacamole/ /;
}

<!-- gh-comment-id:1449313953 --> @wdolan commented on GitHub (Mar 1, 2023): I am currently trying to get this working with Guacamole and can't seem to figure it out as that isn't working. I am trying with the below and it doesn't seem to be picking up the remote ip but the ip address of Cloudflare that it is routing through. Does this look correct? I also tried adding a copy of the real_ip_header line under the location section which made no difference. set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; real_ip_header CF-Connecting-IP; location / { proxy_pass http://10.1.11.3:9998/guacamole/; proxy_cookie_path /guacamole/ /; }

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@gmcinalli commented on GitHub (Mar 1, 2023):

@wdolan I don't think you need the location block, that will be handled by the NPM UI.

<!-- gh-comment-id:1450009887 --> @gmcinalli commented on GitHub (Mar 1, 2023): @wdolan I don't think you need the location block, that will be handled by the NPM UI.

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@wdolan commented on GitHub (May 18, 2023):

Hello,
Maybe I have something wrong then.
Even then trying to make a few variants on it, I am seeing connections as
being from 127.0.0.1 despite having the below setup.
When I connect through the host from the same network using the machine
name instead of the external FQDN it reports correctly.
Did I miss something?
server {
server_name remote.redacted.net;
location / {
set_real_ip_from 03.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;
proxy_pass http://localhost:8080/guacamole/;

proxy_pass http://localhost:8081;

proxy_read_timeout  90;
proxy_http_version  1.1;
proxy_cache_bypass  $http_upgrade;

proxy_buffering off;
proxy_set_header Upgrade           $http_upgrade;
proxy_set_header Connection        $http_connection;
proxy_set_header Host              $host;
proxy_set_header X-Real-IP         CF-Connecting-IP;
proxy_set_header X-Forwarded-For   CF-Connecting-IP;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host  $host;
proxy_set_header X-Forwarded-Port  $server_port;
proxy_intercept_errors on;

}

listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/remote.redacted.net/fullchain.pem;

managed by Certbot

ssl_certificate_key /etc/letsencrypt/live/

remote.redacted.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
error_page 404 500 502 503 504
https://letmegooglethat.com/?q=why+does+my+server+have+an+error;
}

Any help would be greatly appreciated.

On Thu, May 18, 2023 at 12:39 PM glassman81 @.***>
wrote:

Found the following:

set_real_ip_from defines trusted addresses that are known to send correct
replacement addresses. Source:
https://nginx.org/en/docs/http/ngx_http_realip_module.html

nginx configuration file snippet (IPv4 only):

set_real_ip_from 03.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;

#use any of the following two

real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

Cloudflare Documentation:
https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

Cloudflare IPs: https://www.cloudflare.com/ips

Sorry, I know this post is a little older, but what would happen if you
included the “real_ip_header X-Forwarded-For;” line but didn’t add any
actual cloudflare addresses using “set_real_ip_from”?

—
Reply to this email directly, view it on GitHub
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1358#issuecomment-1553324231,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABA3PV6GNDF3NWHJFS5ZXP3XGZGE3ANCNFSM5C7EPWOQ
.
You are receiving this because you were mentioned.Message ID:
@.***>

<!-- gh-comment-id:1553521375 --> @wdolan commented on GitHub (May 18, 2023): Hello, Maybe I have something wrong then. Even then trying to make a few variants on it, I am seeing connections as being from 127.0.0.1 despite having the below setup. When I connect through the host from the same network using the machine name instead of the external FQDN it reports correctly. Did I miss something? server { server_name remote.redacted.net; location / { set_real_ip_from 03.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/13; set_real_ip_from 104.24.0.0/14; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; real_ip_header CF-Connecting-IP; proxy_pass http://localhost:8080/guacamole/; # proxy_pass http://localhost:8081; proxy_read_timeout 90; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_set_header Host $host; proxy_set_header X-Real-IP CF-Connecting-IP; proxy_set_header X-Forwarded-For CF-Connecting-IP; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_intercept_errors on; } listen 443 http2 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/remote.redacted.net/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/ remote.redacted.net/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot error_page 404 500 502 503 504 https://letmegooglethat.com/?q=why+does+my+server+have+an+error; } Any help would be greatly appreciated. On Thu, May 18, 2023 at 12:39 PM glassman81 ***@***.***> wrote: > Found the following: > > set_real_ip_from defines trusted addresses that are known to send correct > replacement addresses. Source: > https://nginx.org/en/docs/http/ngx_http_realip_module.html > > nginx configuration file snippet (IPv4 only): > > set_real_ip_from 03.21.244.0/22; > set_real_ip_from 103.22.200.0/22; > set_real_ip_from 103.31.4.0/22; > set_real_ip_from 104.16.0.0/13; > set_real_ip_from 104.24.0.0/14; > set_real_ip_from 108.162.192.0/18; > set_real_ip_from 131.0.72.0/22; > set_real_ip_from 141.101.64.0/18; > set_real_ip_from 162.158.0.0/15; > set_real_ip_from 172.64.0.0/13; > set_real_ip_from 173.245.48.0/20; > set_real_ip_from 188.114.96.0/20; > set_real_ip_from 190.93.240.0/20; > set_real_ip_from 197.234.240.0/22; > set_real_ip_from 198.41.128.0/17; > > #use any of the following two > > real_ip_header CF-Connecting-IP; > #real_ip_header X-Forwarded-For; > > Cloudflare Documentation: > https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs > > Cloudflare IPs: https://www.cloudflare.com/ips > > Sorry, I know this post is a little older, but what would happen if you > included the “real_ip_header X-Forwarded-For;” line but didn’t add any > actual cloudflare addresses using “set_real_ip_from”? > > — > Reply to this email directly, view it on GitHub > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1358#issuecomment-1553324231>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABA3PV6GNDF3NWHJFS5ZXP3XGZGE3ANCNFSM5C7EPWOQ> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@LuXc-NL commented on GitHub (Feb 29, 2024):

Found the following:

set_real_ip_from defines trusted addresses that are known to send correct replacement addresses. Source: https://nginx.org/en/docs/http/ngx_http_realip_module.html

nginx configuration file snippet (IPv4 only):

set_real_ip_from    03.21.244.0/22;
set_real_ip_from    103.22.200.0/22;
set_real_ip_from    103.31.4.0/22;
set_real_ip_from    104.16.0.0/13;
set_real_ip_from    104.24.0.0/14;
set_real_ip_from    108.162.192.0/18;
set_real_ip_from    131.0.72.0/22;
set_real_ip_from    141.101.64.0/18;
set_real_ip_from    162.158.0.0/15;
set_real_ip_from    172.64.0.0/13;
set_real_ip_from    173.245.48.0/20;
set_real_ip_from    188.114.96.0/20;
set_real_ip_from    190.93.240.0/20;
set_real_ip_from    197.234.240.0/22;
set_real_ip_from    198.41.128.0/17;

#use any of the following two

real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

Cloudflare Documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

Cloudflare IPs: https://www.cloudflare.com/ips

You just saved my day!

<!-- gh-comment-id:1970824922 --> @LuXc-NL commented on GitHub (Feb 29, 2024): > Found the following: > > `set_real_ip_from` defines trusted addresses that are known to send correct replacement addresses. Source: https://nginx.org/en/docs/http/ngx_http_realip_module.html > > nginx configuration file snippet (IPv4 only): > > ``` > set_real_ip_from 03.21.244.0/22; > set_real_ip_from 103.22.200.0/22; > set_real_ip_from 103.31.4.0/22; > set_real_ip_from 104.16.0.0/13; > set_real_ip_from 104.24.0.0/14; > set_real_ip_from 108.162.192.0/18; > set_real_ip_from 131.0.72.0/22; > set_real_ip_from 141.101.64.0/18; > set_real_ip_from 162.158.0.0/15; > set_real_ip_from 172.64.0.0/13; > set_real_ip_from 173.245.48.0/20; > set_real_ip_from 188.114.96.0/20; > set_real_ip_from 190.93.240.0/20; > set_real_ip_from 197.234.240.0/22; > set_real_ip_from 198.41.128.0/17; > > #use any of the following two > > real_ip_header CF-Connecting-IP; > #real_ip_header X-Forwarded-For; > ``` > > Cloudflare Documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs > > Cloudflare IPs: https://www.cloudflare.com/ips You just saved my day!

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@reply2future commented on GitHub (Mar 9, 2024):

@bioszombie “Custom Nginx Configuration” field in the “Advanced” tab of the proxy host editing modal on the GUI.

If you want to take effect to all your websites, you could add the content to a file /data/nginx/custom/server_proxy.conf which is included at the end of every proxy server block. You could find more information from official document

<!-- gh-comment-id:1986789382 --> @reply2future commented on GitHub (Mar 9, 2024): > @bioszombie “Custom Nginx Configuration” field in the “Advanced” tab of the proxy host editing modal on the GUI. If you want to take effect to all your websites, you could add the content to a file `/data/nginx/custom/server_proxy.conf` which is included at the end of every proxy server block. You could find more information from [official document](https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations:~:text=/data/nginx/custom/server_proxy.conf%3A%20Included%20at%20the%20end%20of%20every%20proxy%20server%20block)

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@Bluscream commented on GitHub (Apr 7, 2024):

this is a godsend 🙏

here's the latest ips

/portainer/Files/AppData/Config/nginx-proxy-manager $ cat data/nginx/custom/server_proxy.conf

set_real_ip_from    103.21.244.0/22;
set_real_ip_from    103.22.200.0/22;
set_real_ip_from    103.31.4.0/22;
set_real_ip_from    104.16.0.0/13;
set_real_ip_from    104.24.0.0/14;
set_real_ip_from    108.162.192.0/18;
set_real_ip_from    131.0.72.0/22;
set_real_ip_from    141.101.64.0/18;
set_real_ip_from    162.158.0.0/15;
set_real_ip_from    172.64.0.0/13;
set_real_ip_from    173.245.48.0/20;
set_real_ip_from    188.114.96.0/20;
set_real_ip_from    190.93.240.0/20;
set_real_ip_from    197.234.240.0/22;
set_real_ip_from    198.41.128.0/17;
set_real_ip_from    2400:cb00::/32;
set_real_ip_from    2405:8100::/32;
set_real_ip_from    2405:b500::/32;
set_real_ip_from    2606:4700::/32;
set_real_ip_from    2803:f800::/32;
set_real_ip_from    2a06:98c0::/29;
set_real_ip_from    2c0f:f248::/32;

#use any of the following two

real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

EDIT: Seems like npm is already fetching these ips, isn't this a reason to implement a simple checkbox to enable cloudflare visitor ips? @jc21

2024-04-07T15:07:13.850501792Z [4/7/2024] [3:07:13 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
2024-04-07T15:07:13.977207458Z [4/7/2024] [3:07:13 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6

<!-- gh-comment-id:2041499454 --> @Bluscream commented on GitHub (Apr 7, 2024): this is a godsend :pray: here's the latest ips `/portainer/Files/AppData/Config/nginx-proxy-manager $ cat data/nginx/custom/server_proxy.conf` ```conf set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/13; set_real_ip_from 104.24.0.0/14; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2a06:98c0::/29; set_real_ip_from 2c0f:f248::/32; #use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; ``` EDIT: Seems like npm is already fetching these ips, isn't this a reason to implement a simple checkbox to enable cloudflare visitor ips? @jc21 ```log 2024-04-07T15:07:13.850501792Z [4/7/2024] [3:07:13 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4 2024-04-07T15:07:13.977207458Z [4/7/2024] [3:07:13 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6 ```

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@MrrZed0 commented on GitHub (Apr 10, 2024):

Found the following:

set_real_ip_from defines trusted addresses that are known to send correct replacement addresses. Source: https://nginx.org/en/docs/http/ngx_http_realip_module.html

nginx configuration file snippet (IPv4 only):

set_real_ip_from    03.21.244.0/22;
set_real_ip_from    103.22.200.0/22;
set_real_ip_from    103.31.4.0/22;
set_real_ip_from    104.16.0.0/13;
set_real_ip_from    104.24.0.0/14;
set_real_ip_from    108.162.192.0/18;
set_real_ip_from    131.0.72.0/22;
set_real_ip_from    141.101.64.0/18;
set_real_ip_from    162.158.0.0/15;
set_real_ip_from    172.64.0.0/13;
set_real_ip_from    173.245.48.0/20;
set_real_ip_from    188.114.96.0/20;
set_real_ip_from    190.93.240.0/20;
set_real_ip_from    197.234.240.0/22;
set_real_ip_from    198.41.128.0/17;

#use any of the following two

real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

Cloudflare Documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

Cloudflare IPs: https://www.cloudflare.com/ips

man this worked for me using CasaOS with home assistant and Nginx Proxy Manager and Cloudflare with proxy enabled and now i can access it thanks to this information thanks so much, spend so many hours trying to get it to work

<!-- gh-comment-id:2046558115 --> @MrrZed0 commented on GitHub (Apr 10, 2024): > Found the following: > > `set_real_ip_from` defines trusted addresses that are known to send correct replacement addresses. Source: https://nginx.org/en/docs/http/ngx_http_realip_module.html > > nginx configuration file snippet (IPv4 only): > > ``` > set_real_ip_from 03.21.244.0/22; > set_real_ip_from 103.22.200.0/22; > set_real_ip_from 103.31.4.0/22; > set_real_ip_from 104.16.0.0/13; > set_real_ip_from 104.24.0.0/14; > set_real_ip_from 108.162.192.0/18; > set_real_ip_from 131.0.72.0/22; > set_real_ip_from 141.101.64.0/18; > set_real_ip_from 162.158.0.0/15; > set_real_ip_from 172.64.0.0/13; > set_real_ip_from 173.245.48.0/20; > set_real_ip_from 188.114.96.0/20; > set_real_ip_from 190.93.240.0/20; > set_real_ip_from 197.234.240.0/22; > set_real_ip_from 198.41.128.0/17; > > #use any of the following two > > real_ip_header CF-Connecting-IP; > #real_ip_header X-Forwarded-For; > ``` > > Cloudflare Documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs > > Cloudflare IPs: https://www.cloudflare.com/ips man this worked for me using CasaOS with home assistant and Nginx Proxy Manager and Cloudflare with proxy enabled and now i can access it thanks to this information thanks so much, spend so many hours trying to get it to work

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@aerickt commented on GitHub (Nov 26, 2024):

For anyone in the same situation as me: if you're using a Cloudflare zero trust tunnel, I only needed a single set_real_ip_from specifying the local Cloudflare network IP. This is the IP your server will report when visiting through the tunnel

<!-- gh-comment-id:2501344525 --> @aerickt commented on GitHub (Nov 26, 2024): For anyone in the same situation as me: if you're using a Cloudflare zero trust tunnel, I only needed a single set_real_ip_from specifying the local Cloudflare network IP. This is the IP your server will report when visiting through the tunnel

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@mrwogu commented on GitHub (Mar 5, 2025):

There is no need to manually specify set_real_ip_from for Cloudflare IP addresses, because Nginx Proxy Manager already includes a built-in ip_ranges.conf file that’s automatically generated and refreshed.

It’s based on Cloudflare and CloudFront IP addresses. You can check it out here:
https://github.com/NginxProxyManager/nginx-proxy-manager/blob/master/backend/internal/ip_ranges.js

Simply add the following snippet to your /data/nginx/custom/server_proxy.conf configuration:

include conf.d/include/ip_ranges.conf;
real_ip_header X-Forwarded-For;

<!-- gh-comment-id:2701049640 --> @mrwogu commented on GitHub (Mar 5, 2025): There is no need to manually specify `set_real_ip_from` for Cloudflare IP addresses, because Nginx Proxy Manager already includes a built-in `ip_ranges.conf` file that’s automatically generated and refreshed. It’s based on Cloudflare and CloudFront IP addresses. You can check it out here: https://github.com/NginxProxyManager/nginx-proxy-manager/blob/master/backend/internal/ip_ranges.js Simply add the following snippet to your `/data/nginx/custom/server_proxy.conf` configuration: ``` include conf.d/include/ip_ranges.conf; real_ip_header X-Forwarded-For; ```

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@anver commented on GitHub (Apr 4, 2025):

Nothing works for me, tried everything on this page, still getting the container ip

<!-- gh-comment-id:2779012280 --> @anver commented on GitHub (Apr 4, 2025): Nothing works for me, tried everything on this page, still getting the container ip

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Oct 15, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3404255840 --> @github-actions[bot] commented on GitHub (Oct 15, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:35:41 +03:00

Author

Owner

Copy link

@enoot commented on GitHub (Dec 9, 2025):

No need to add include conf.d/include/ip_ranges.conf;.
Those configs are included by default.
Just add real_ip_header X-Forwarded-For; in your proxy host custom config.

<!-- gh-comment-id:3633389269 --> @enoot commented on GitHub (Dec 9, 2025): No need to add `include conf.d/include/ip_ranges.conf;`. Those configs are included by default. Just add `real_ip_header X-Forwarded-For;` in your proxy host custom config.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1077

No description provided.