Show Real Client IPs when use LiteSpeed + Cloudflare

To get real visitors IPs for access control and traffic analysis while using proxy servers, e.g. Cloudflare.

Since OpenLiteSpeed admin panel is not available along with ispmanager 6 installed on the same server, you need to set up directive for option “Use Client IP in Header” manually in the web server’s configuration file “/usr/local/lsws/conf/httpd-config.conf”.

The directive “useIpInProxyHeader” specifies whether to use the IP address listed in the “X-Forwarded-For”, like the option “Use Client IP in Header” does. The directive is not set up by default if the web server was installed via ispmanager 6 or its installation script.
It is recommended to add the directive “useIpInProxyHeader” after “showVersionNumber”, e.g.:

mime	conf/mime.properties
showVersionNumber	0
useIpInProxyHeader	1
adminEmails	root@localhost

The directive has next possible values:

  • 0 – disabled
  • 1 – enabled
  • 2 – trusted IP Only
  • 3 – keep Header from trusted IP

It is not recommended to set value “1”, because it allows clients to spoof IPs with the “X-Forwarded-For” header that is sent to CloudFlare.

To restore real visitor IPs, set the directive values as “2” and then add trusted IPs or/and subnets to the trusted list into the “accessControl” section within the “allow” rule.

IP subnets must be added in a comma-separated list appending a T (for “Trusted”) to the end of each IP, like so:

accessControl {
	allow ALL, 125.67.22.0/24T, 19.76.213.2/32T
}

service lsws restart

Leave a Comment