NGINX Reverse Proxy with Cloudflare

Question

I have a problem with reverse proxy configuration using NGINX. I'm using Cloudflare as a DNS server. I added two "A" entries to Cloudflare with one proxy enabled and the other not. For example:

1. system.domain.com (Cloudflare Proxy ON)
2. system2.domain.com (Cloudflare Proxy OFF)

My NGINX configuration:

server {
    listen 80;
    listen [::]:80;

    server_name system.domain.com system2.domain.com;
    server_tokens off;

    set_real_ip_from 192.168.1.1;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;

    location / {
        allow <My Public IP>;
        deny all;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://192.168.1.100;
    }
}

After entering the address system.domain.com in the browser from the allowed IP address page loads correctly (my public IP address is saved in the access logs). However, when I enter from the same IP address to the system2.domain.com address, I get an error:

access forbidden by rule, client: 192.168.1.1

Where does this problem come from? Can Cloudflare Proxy somehow affect this? How to fix this?

Answer 1

I believe the problem is with the following line:

real_ip_header X-Forwarded-For;

I don't think it's set when proxy is off. Try changing it to the following, which should always be set:

real_ip_header CF-Connecting-IP;

source: https://www.tools4nerds.com/online-tools/cf-real-ip-from-generator