{"id":11,"date":"2025-08-05T22:35:47","date_gmt":"2025-08-05T22:35:47","guid":{"rendered":"https:\/\/progresstechnologies.com\/?p=11"},"modified":"2025-08-05T22:35:47","modified_gmt":"2025-08-05T22:35:47","slug":"how-to-log-the-real-visitor-ip-address-when-using-cloudflare","status":"publish","type":"post","link":"https:\/\/progresstechnologies.com\/?p=11","title":{"rendered":"How to Log the Real Visitor IP Address When Using Cloudflare"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">If you accept connections from websites or API running behind <a>Cloudflare<\/a>, there\u2019s a hidden \u201cgotcha\u201d you must know about:<\/h2>\n\n\n\n<p><strong>By default, your end-point server will NOT see the real end-user\u2019s IP address.<\/strong><\/p>\n\n\n\n<p>Instead, every incoming request appears to come from a Cloudflare data center.<br>This impacts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Abuse prevention (rate limiting)<\/li>\n\n\n\n<li>Accurate analytics<\/li>\n\n\n\n<li>Geo-targeting<\/li>\n\n\n\n<li>Any IP-based feature or logging<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Why?<\/strong><\/h3>\n\n\n\n<p>Cloudflare acts as a reverse proxy, routing all traffic through their global edge network.<br>Your server\u2019s <code>REMOTE_ADDR<\/code> variable now reflects the Cloudflare node\u2014not your actual visitor.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>The Solution: Use the Special HTTP Header<\/strong><\/h3>\n\n\n\n<p><strong>Cloudflare automatically sends the true client IP in the <code>CF-Connecting-IP<\/code> HTTP header.<\/strong><\/p>\n\n\n\n<p>To reliably log and process the real user\u2019s IP in PHP, use this snippet:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>function getRealIp() {<br>    \/\/ Prefer Cloudflare's header if present<br>    if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) {<br>        return $_SERVER['HTTP_CF_CONNECTING_IP'];<br>    }<br>    \/\/ Optionally support generic proxies<br>    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {<br>        return explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])[0];<br>    }<br>    \/\/ Fallback to server-provided address<br>    return $_SERVER['REMOTE_ADDR'] ?? 'UNKNOWN';<br>}<br><\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Best Practices:<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use this <code>getRealIp()<\/code> helper everywhere you log, rate-limit, or analyze IP addresses.<\/li>\n\n\n\n<li>If you use other CDNs or reverse proxies, check their docs for equivalent headers.<\/li>\n\n\n\n<li>Do not trust <code>X-Forwarded-For<\/code> unless you control all proxy hops\u2014it can be spoofed by end users.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Why This Matters:<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Without this fix:<\/strong> All requests appear to originate from Cloudflare, making IP-based abuse detection and analytics impossible.<\/li>\n\n\n\n<li><strong>With this fix:<\/strong> You\u2019ll always have the real end-user IP, whether you\u2019re behind Cloudflare or not.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Resources:<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/developers.cloudflare.com\/support\/troubleshooting\/restoring-visitor-ips\/restoring-original-visitor-ips\/\" data-type=\"link\" data-id=\"https:\/\/developers.cloudflare.com\/support\/troubleshooting\/restoring-visitor-ips\/restoring-original-visitor-ips\/\">Cloudflare: Restoring Original Visitor IPs<\/a><\/li>\n\n\n\n<li><a class=\"\" href=\"https:\/\/www.php.net\/manual\/en\/reserved.variables.server.php\">PHP: $_SERVER superglobal<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><strong>TL;DR:<\/strong><br>When accounting for Cloudflare, always log and use the IP from <code>CF-Connecting-IP<\/code>, not just <code>REMOTE_ADDR<\/code>.<br>It\u2019s a simple fix that saves hours of debugging and improves your site\u2019s security and analytics.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you accept connections from websites or API running behind Cloudflare, there\u2019s a hidden \u201cgotcha\u201d you must know about: By default, your end-point server will NOT see the real end-user\u2019s IP address. Instead, every incoming request appears to come from a Cloudflare data center.This impacts: Why? Cloudflare acts as a reverse proxy, routing all traffic [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-11","post","type-post","status-publish","format-standard","hentry","category-php-development"],"_links":{"self":[{"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=\/wp\/v2\/posts\/11","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11"}],"version-history":[{"count":1,"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=\/wp\/v2\/posts\/11\/revisions"}],"predecessor-version":[{"id":12,"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=\/wp\/v2\/posts\/11\/revisions\/12"}],"wp:attachment":[{"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/progresstechnologies.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}