CloudFlare X-Forwarded-For Real Source IP

ethical20 · July 6, 2020, 8:21am

Hi,

I'm new to Elastic and need help to find the real IP of nginx site visitor.

The environment I have is Nginx module installed in Filebeat and reading the data passed via logstash to elasticsearch and viewed in kibana.

The site I have is proxied via Cloudflare, and as the documentation says here:

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-nginx.html

Is that (nginx.access.remote_ip_list) will read the X-Forwarded-For (which is the real ip of visitor and not cloudflare's IP)

But when checking this field in kibana, it gives Cloudflare's IP.

What shall I do to get the Real visitor IP?

Regards,

shaunak · July 6, 2020, 6:40pm

What version of Filebeat are you using?

The documentation also says:

Real source IP is restored to source.ip .

Have you checked the source.ip field in Kibana?

Shaunak

ethical20 · July 7, 2020, 5:11am

Filebeat 7.8, and yes checked the source.ip and it is sending cloud-flare's IP.

shaunak · July 7, 2020, 12:43pm

Can you post a sample line from your Nginx log and point out which one is the cloudflare IP and which one is the IP of the visitor in that line? Also please post your complete filebeat.yml and modules.d/nginx.yml (with any sensitive information redacted). Then I can try to reproduce your scenario on my end.

Thanks,

Shaunak

ethical20 · July 8, 2020, 7:50am

Hi,

In order to solve this issue, I've changed the nginx config file to list real Ip's instead of cloudflare.

I've used this as a turn around.

Here are the steps used.

The logs in nginx were only listing CD ip's and not both real and CD's Ip's

Regards,

system · August 5, 2020, 9:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.