Show Real Visitor IP Instead of CloudFlare IPs

When using CloudFlare CDN in front of your LiteSpeed Web Server, you may see a proxy IP instead of the real IP addresses of visitors.

To restore real visitor IPs, navigate to LiteSpeed WebAdmin Console > Configuration > General Settings and set Use Client IP in Header to Trusted IP Only, and add CloudFlare IPs/Subnets to the trusted list, as shown below. If Use Client IP in Header is set to Yes instead of Trusted IP only, clients can spoof IPs with the X-Forwarded-For header that is sent to CloudFlare. This is not recommended!

Starting from 5.4.9, CloudFlare IPs will be automatically treated as trusted IPs though they won't show from LiteSpeed ACL allowed configuration at all.

If you have any need to add CloudFlare IPs or other proxy/CDN IPs manually, The following snapshot shows how to add CloudFlare to the trusted list manually. Please also refer to this wiki for detailed instructions.

The list of CloudFlare IP subnets is available at https://www.cloudflare.com/ips/. Your LiteSpeed ACL allowed configuration should look like:

ALL, 103.21.244.0/22T, 103.22.200.0/22T, 103.31.4.0/22T, 104.16.0.0/13T, 104.24.0.0/14T, 108.162.192.0/18T, 131.0.72.0/22T, 141.101.64.0/18T, 162.158.0.0/15T, 172.64.0.0/13T, 173.245.48.0/20T, 188.114.96.0/20T, 190.93.240.0/20T, 197.234.240.0/22T, 198.41.128.0/17T

If there is another layer of proxy setup in front of LiteSpeed Web Server on the same server box (i.e. CloudFlare Railgun, Nginx, or Varnish), you also need to add that server IP to the trusted list. QUIC.Cloud IPs and localhost should be automatically treated as Trusted IP already without any extra manual configuration.

Once enabled, your access logs will show the correct IP addresses and even PHP's $_SERVER['REMOTE_ADDR'] variable will contain your visitors' real IP addresses instead of a CloudFlare IP address. This will resolve most problems that might occur when enabling CloudFlare on PHP-enabled web sites (like WordPress or vBulletin installations).

Please be aware that only the access log shows real visitor IPs. The error log still shows IPs of CloudFlare nodes. This may change in a future release.