Real Visitor IP

Learning Focus

By the end of this lesson you will know why Cloudflare masks visitor IPs and how to restore them in OpenLiteSpeed.

The Problem

When Cloudflare proxies traffic, OpenLiteSpeed sees Cloudflare's IP addresses instead of the real visitor IP. This breaks:

Access logs (all requests appear from Cloudflare)
IP-based rate limiting
IP-based access control
Geolocation features

How to Restore Real IPs

Cloudflare sends the real visitor IP in the CF-Connecting-IP header. OpenLiteSpeed can use this with the Use Client IP in Header setting.

In WebAdmin

Navigate to Server Configuration → General → General Settings
Set Use Client IP in Header: Yes
Save and Graceful Restart

Securing the Header

Only trust the CF-Connecting-IP header from Cloudflare's IPs. Otherwise, an attacker could bypass IP restrictions by setting the header manually.

# Cloudflare's IP ranges (keep updated)
# https://www.cloudflare.com/ips/

# Consider adding firewall rules to allow only Cloudflare IPs to port 443
# and deny direct access from non-Cloudflare sources

Verifying

# Check what IP the server logs
tail -5 /usr/local/lsws/logs/access.log
# Should show real visitor IPs, not Cloudflare IPs (e.g., 104.x.x.x, 172.x.x.x)

warning

If you enable "Use Client IP in Header" without restricting to Cloudflare IPs, any client can spoof their IP by setting the header.

Key Takeaways

Cloudflare proxying masks real visitor IPs — you must restore them for accurate logging and security.
Use the Use Client IP in Header setting in OpenLiteSpeed.
Only trust IP headers from Cloudflare's IP ranges to prevent spoofing.

What's Next

Continue to Cloudflare IP Whitelist for firewall configuration.

The Problem​

How to Restore Real IPs​

In WebAdmin​

Securing the Header​

Verifying​

Key Takeaways​

What's Next​