Stuff & Nonsense

Magento show remote IP in cloudflare: the right way

After writing this post on how to override Magento’s HTTP helper to pull in the ‘real’ remote ip address when behind a reverse proxy system like Cloudflare.  After reading this, Jack at helpfully wrote in to point out the right way of doing this.

If you look in /app/etc/local.xml.additional there’s some extra nodes in there that you can copy into your local.xml to add additonal funcitonality… and one of the things you can do is add remote headers for reverse proxies.

so, copy the following code into your local.xml under the ‘global’ node:

<remote_addr_headers><!-- list headers that contain real client IP if webserver is behind a reverse proxy -->

And that should do the trick!  I’ll leave the other article up as it’s a good tutorial for overriding a helper anyway, but this method is much simpler.

12 thoughts on “Magento show remote IP in cloudflare: the right way

  1. so you’ve found no problems using cloudflare and magento? I tried about a year ago, and encountered all kinds of problems, but I didn’t use this snippet/

    1. Nope, we’ve not had any issues so far. In fact I’d heartily recommend Cloudflare as far as my experience so far goes. What sorts of problems were you seeing?

  2. Hi admin, and thanks for the link back on the CF IP address thing. I wanted to also spread the word about another issue with Cloudflare and Malwarebytes. It seems that Malwarebytes is flagging many CF IP addresses as malware, and as such, if website blocking is enabled (in the pro version or demo), access to CF cached sites is blocked. I submitted a report to Cloudflare, and the response I received back is below. While I was thrilled with the performance boost that their service provides, unfortunately it comes at the cost of some people being unable to access our website. If this was a small amount, or Malwarebytes wasn’t a major player in anti-malware, this wouldn’t be an issue, but with a footprint in the millions, this is a show stopper for me. Reading the forums at Malwarebytes website, it seems that they are in a pissing contest with CF, and the end result is an issue for site owners. It’s a pity for sure, as other than this, their service is awesome and I’ve had no issues, once I got things figured out initially.

    Hello, and thank you for contacting CloudFlare!

    This is the most current information I have available.

    Our recommendation regarding MalwareBytes right now is to disable the “malicious website blocking” module in the software . Here’s the problem:

    — Say one site on CloudFlare has an issue (according to Malwarebytes).

    — This site is on CloudFlare’s IPs.

    — In addition to that one site being on CloudFlare’s IPs, there are also potentially hundreds (or more) sites on those same IPs. If Malwarebytes blocks those ips with their software, they are blocking every site on the CloudFlare network with those IPs (in other words, they are blocking hundreds of domains because of an issue with one domain).

    It doesn’t look like this is an issue we can easily resolve with Malwarebytes right now. We have offered to block malware URLs from sites they report an issue with, since we have the capability to do so, but the stance of Malwarebytes is that we have to take down the site. We can’t take a site down for two primary reasons:

    — We’re not a hosting provider.

    — The site owner may have unknowingly been hacked and is unwittingly distributing malware.

    We will continue to see where our discussions with Malwarebytes goes & we hope this will change in the future.

    If you have any additional questions, please don’t hesitate to contact CloudFlare Support.



    1. Hi Jack, thanks for this info, certainly worth knowing… I’ll keep an eye on customer reports and see if we start to have problems with this.

  3. Does this still work? (on magento ce 1.9)
    When You say “copy the following code under the “global” node, it means inside it, or right after?
    Maybe You can show me how the result should look like?

    Are there any other changes that need to be made besides this, to see the actual customer ip’s in online customer section?

    Thanks in advance!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.