Cloudflare Headers

Cloudflare provides DNS for websites and many other add-on features for websites. By default it works as a proxy where by the visitors IP are appearing as Cloudflare’s IP. You can find a complete list of Cloudflare IP addresses at https://www.cloudflare.com/ips/

Inside the Cloudflare’s control panel you will have something called the True-Client-IP Header, it has the following box which shows:

What is True-Client-IP?

If True-Client-IP is enabled, Cloudflare will add a True-Client-IP header in the request sent to the origin with the IP address of the end user.

By default, Cloudflare sends back packets with a Cloudflare IP address. True-Client-IP is a solution that allows Cloudflare users to see the end user’s IP address, even when the traffic to the origin is sent directly from Cloudflare.

This feature supplements our current CF-Connecting-IP and X-Forwarded-For headers.

For all plans, Cloudflare always sends the original visitor IP using the CF-Connecting-IP and X-Forwarded-For headers. This feature adds a third header, True-Client-IP, for compatibility with another vendor.

Even with these settings our web server logs will still display the Cloudflare’s IP addresses where by we are unable to see the real IP of the visitor to the website.

The Cloudflare has the following article which explains the issue:

CloudFlare operates as a reverse proxy, so our customers will want to know how existing HTTP headers are handled, and what may change going through CloudFlare.

With these exceptions, CloudFlare passes on all HTTP headers as is from the client to the origin.

First exception: CF-Connecting-IP

To provide the client (visitor) IP address for every request to the origin, CloudFlare adds the CF-Connecting-IP header.

"CF-Connecting-IP: A.B.C.D"

where A.B.C.D is the client's IP address, also known as the original visitor IP address.

Second exception: X-Forwarded-For

X-Forwarded-For is a well-established HTTP header used by proxies, including CloudFlare, to pass along other IP addresses in the request. This is often the same as CF-Connecting-IP, but there may be multiple layers of proxies in a request path.

Two possible outcomes.

First, if there is no existing "X-Forwarded-For" header in the request, then the header would have an identical value to the CF-Connecting-IP header, like this:

"X-Forwarded-For: A.B.C.D"

where A.B.C.D is the client's IP address, also known as the original visitor IP address.

Second, if there is an "X-Forwarded-For" header present in the request, CloudFlare will append the client's IP to its value, as the last in the list.

"X-Forwarded-For: A.B.C.D[,X.X.X.X,Y.Y.Y.Y,]"

where A.B.C.D is the client's IP address, also known as the original visitor IP address. X.X.X.X and Y.Y.Y.Y in this example are IP addresses along the route in the header value.

Third exception: CF-RAY

The CF-Ray header is passed on which includes a hash appended with the datacenter the request came through. A sample looks like this:

"Cf-Ray: 230b030023ae2822-SJC"

Fourth Exception: CF-IPCountry

This header holds the country code of the originating visitor, it is a two character value that will have the Country code, if the country code is unknown, it will be "XX".

"Cf-Ipcountry: US"

Fifth Exception: CF-Visitor

The only values you will see in this header will either be HTTP or HTTPS, it's used to show the scheme used to connect. If you have Flexible SSL, you will see HTTPS was requested by the visitor. 

"Cf-Visitor: { \"scheme\":\"https\"}" 

Sixth Exception: True-Client-IP   * Enterprise Plan only *

To provide the client (visitor) IP address for every request to the origin, CloudFlare adds the True-Client-IP header.

"True-Client-IP: A.B.C.D"

where A.B.C.D is the client's IP address, also known as the original visitor IP address. This request header is only available on our Enterprise plan.


Source: https://support.cloudflare.com/hc/en-us/articles/200170986

Resolution

To resolve the issue you need to install the Cloudflare add-on called mod_cloudflare, it is an Apache module which will enable the real IP address of the visitor to be shown in the web server logs:

(Reading database ... 82133 files and directories currently installed.)
Preparing to unpack mod_cloudflare-xenial-amd64.latest.deb ...
Unpacking libapache2-mod-cloudflare (2016.6.0-1) over (2016.6.0-1) ...
Setting up libapache2-mod-cloudflare (2016.6.0-1) ...

Source: https://www.cloudflare.com/technical-resources/