Cloudflare Integration
When Cloudflare sits in front of Nginx, all incoming connections appear to come from Cloudflare's IP ranges — not the real visitor. This module covers how to restore real IPs, configure SSL correctly in Full (Strict) mode, and tune Nginx for Cloudflare's proxy behavior.
The Traffic Path
Visitor → Cloudflare Edge (anycast CDN)
└── HTTPS → Nginx origin (:443)
└── Sees Cloudflare IP, not visitor IP
└── Must use CF-Connecting-IP or real_ip_header
What You Will Learn
- How to restore real visitor IPs using
ngx_http_realip_module - How to configure Nginx for Cloudflare Full (Strict) SSL mode
- How to install and use Cloudflare Origin Certificates with Nginx
- How to restrict Nginx to only accept connections from Cloudflare IPs
- How to set correct headers for Cloudflare caching behavior
Topics in This Module
- Real IP Restoration —
real_ip_header,set_real_ip_fromwith Cloudflare IP ranges - SSL Full Strict Setup — Origin certificate install, Nginx SSL listener config, Cloudflare dashboard settings
- Cloudflare IP Whitelisting — Block non-Cloudflare connections to Nginx origin
- Cache Headers for Cloudflare —
Cache-Control,Surrogate-Control, bypass rules - Security Headers with Cloudflare — What Cloudflare handles vs. what Nginx must set
Best Practices
- Set Cloudflare SSL mode to Full (Strict) — never use Flexible (it sends plain HTTP to your origin)
- Use a Cloudflare Origin Certificate (valid 15 years, trusted by Cloudflare only)
- Always use
$http_cf_connecting_ipor$realip_remote_addrin logs after real IP restoration - Block direct connections to port 443 that don't come from Cloudflare IP ranges
- Set
Cache-Control: no-storeon admin and login pages to prevent Cloudflare caching them
Success Checkpoint
By the end of this module you should be able to verify your Nginx origin is only reachable via Cloudflare, have SSL Full (Strict) working, and have real visitor IPs appearing correctly in your logs.