Logging remote ip from CF proxy in Apache

Configuring apache2 so it properly logs remote ips which get through cloudflare tunnel

Enable Apache2 remoteip module
Update Apache vhost Configuration
Modify apache log format

Enable Apache2 remoteip module

a2enmod remoteip

Update Apache vhost Configuration

Modify your Apache configuration to use the CF-Connecting-IP header. You can do this by adding the following lines to your apache2.conf or the specific virtual host configuration file:

<IfModule mod_remoteip.c>
    RemoteIPHeader CF-Connecting-IP
    RemoteIPTrustedProxy 127.0.0.1 ::1
</IfModule>

Modify apache log format

When using mod_remoteip in Apache, you should replace %h with %a in the LogFormat directive to log the real client IP address correctly.

%h: This logs the "remote hostname", which by default is the IP address of the client making the request, or in this case, the proxy (Cloudflare Tunnel at 127.0.0.1).
%a: This logs the "remote IP address", which will reflect the actual client IP after it's modified by mod_remoteip based on the CF-Connecting-IP header.

LogFormat "%v:%p %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
#LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

Table of Contents

Enable Apache2 remoteip module

Update Apache vhost Configuration

Modify apache log format