Proxy-Mode: User's IP address is not forwarded correctly when using cloudflare

[ahoiroman]

Hi there,

I am using CloudFlare in order to protect my site (proxy mode). Now I want to integrate plausible using the proxy feature, which works fine. A little problem remains:

While the request that reaches the nuxt page contains the IP address of the user (2003:a:42f:2d00:64c8:abc6:83b:xxx):

[
  {
    "level": "info",
    "ts": 1748350595.236729,
    "logger": "http.log.access.log0",
    "msg": "handled request",
    "request": {
      "remote_ip": "10.0.1.1",
      "remote_port": "47494",
      "client_ip": "10.0.1.1",
      "proto": "HTTP/1.1",
      "method": "GET",
      "host": "example.com",
      "uri": "/",
      "headers": {
        "User-Agent": [
          "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
        ],
        "Accept": [
          "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"
        ],
        "Sec-Fetch-Site": [
          "same-origin"
        ],
        "X-Forwarded-Proto": [
          "https"
        ],
        "Cdn-Loop": [
          "cloudflare; loops=1"
        ],
        "Cf-Connecting-Ip": [
          "2003:a:42f:2d00:64c8:abc6:83b:xxx"
        ],
        "Accept-Language": [
          "de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"
        ],
        "Dnt": [
          "1"
        ],
        "X-Forwarded-For": [
          "2003:a:42f:2d00:64c8:abc6:83b:xxx"
        ],
        "Cf-Ipcountry": [
          "DE"
        ],
        "X-Real-Ip": [
          "2003:a:42f:2d00:64c8:abc6:83b:xxx"
        ],
        "Cf-Ray": [
          "9465ac5239447a99-EWR"
        ],
        "Cookie": [
          "REDACTED"
        ],
        "Via": [
          "2.0 Caddy"
        ],
        "Cache-Control": [
          "max-age=0"
        ],
        "Sec-Ch-Ua-Platform": [
          "\"macOS\""
        ],
        "Accept-Encoding": [
          "gzip, br"
        ],
        "Sec-Fetch-User": [
          "?1"
        ],
        "Sec-Ch-Ua": [
          "\"Not.A/Brand\";v=\"99\", \"Chromium\";v=\"136\""
        ],
        "Sec-Fetch-Mode": [
          "navigate"
        ],
        "Sec-Ch-Ua-Mobile": [
          "?0"
        ],
        "Cf-Visitor": [
          "{\"scheme\":\"https\"}"
        ],
        "Upgrade-Insecure-Requests": [
          "1"
        ],
        "Sec-Fetch-Dest": [
          "document"
        ],
        "Priority": [
          "u=0, i"
        ],
        "X-Forwarded-Host": [
          "example.com"
        ]
      }
    },
    "bytes_read": 0,
    "user_id": "",
    "duration": 0.259088396,
    "size": 23784,
    "status": 200,
    "resp_headers": {
      "Set-Cookie": [
        "REDACTED"
      ],
      "Content-Type": [
        "text/html;charset=utf-8"
      ],
      "Date": [
        "Tue, 27 May 2025 12:56:35 GMT"
      ],
      "Vary": [
        "Accept-Encoding"
      ],
      "X-Robots-Tag": [
        "index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1"
      ],
      "Content-Encoding": [
        "gzip"
      ]
    }
  },
  {
    "level": "info",
    "ts": 1748350595.9863327,
    "logger": "http.log.access.log0",
    "msg": "handled request",
    "request": {
      "remote_ip": "10.0.1.1",
      "remote_port": "47494",
      "client_ip": "10.0.1.1",
      "proto": "HTTP/1.1",
      "method": "POST",
      "host": "example.com",
      "uri": "/_clt/api/event",
      "headers": {
        "Cf-Ipcountry": [
          "DE"
        ],
        "Accept": [
          "*/*"
        ],
        "Cf-Connecting-Ip": [
          "2003:a:42f:2d00:64c8:abc6:83b:xxx"
        ],
        "X-Forwarded-For": [
          "2003:a:42f:2d00:64c8:abc6:83b:xxx"
        ],
        "User-Agent": [
          "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
        ],
        "Cf-Ray": [
          "9465ac57e8027a99-EWR"
        ],
        "Dnt": [
          "1"
        ],
        "Content-Type": [
          "text/plain"
        ],
        "Sec-Ch-Ua-Platform": [
          "\"macOS\""
        ],
        "Sec-Fetch-Site": [
          "same-origin"
        ],
        "Cookie": [
          "REDACTED"
        ],
        "Sec-Ch-Ua-Mobile": [
          "?0"
        ],
        "X-Forwarded-Host": [
          "example.com"
        ],
        "Cf-Visitor": [
          "{\"scheme\":\"https\"}"
        ],
        "Accept-Encoding": [
          "gzip, br"
        ],
        "Via": [
          "2.0 Caddy"
        ],
        "Content-Length": [
          "90"
        ],
        "Sec-Ch-Ua": [
          "\"Not.A/Brand\";v=\"99\", \"Chromium\";v=\"136\""
        ],
        "Priority": [
          "u=1, i"
        ],
        "Origin": [
          "https://example.com"
        ],
        "Referer": [
          "https://example.com/"
        ],
        "Sec-Fetch-Mode": [
          "cors"
        ],
        "Sec-Fetch-Dest": [
          "empty"
        ],
        "X-Forwarded-Proto": [
          "https"
        ],
        "X-Real-Ip": [
          "2003:a:42f:2d00:64c8:abc6:83b:xxx"
        ],
        "Cdn-Loop": [
          "cloudflare; loops=1"
        ],
        "Accept-Language": [
          "de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"
        ]
      }
    },
    "bytes_read": 90,
    "user_id": "",
    "duration": 0.103529669,
    "size": 2,
    "status": 202,
    "resp_headers": {
      "X-Request-Id": [
        "GENjmpfEStEPXzoAAIRC"
      ],
      "X-Robots-Tag": [
        "index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1"
      ],
      "Date": [
        "Tue, 27 May 2025 12:56:35 GMT"
      ],
      "Cache-Control": [
        "max-age=0, private, must-revalidate"
      ],
      "Access-Control-Allow-Origin": [
        "*"
      ],
      "Nel": [
        "{\"report_to\":\"cf-nel\",\"success_fraction\":0.0,\"max_age\":604800}"
      ],
      "Report-To": [
        "{\"group\":\"cf-nel\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://a.nel.cloudflare.com/report/v4?s=7nWEX8xblTiPwTQhT5ymEcaRTHj6XkVB%2FbLOYlfbv2qeJBgmLRTjp6UnE4skYCIFTaNoOyyIfuAPPW3owFkvKa8Hpy13RTjLv4qWdiYu5qM%3D\"}]}"
      ],
      "Access-Control-Expose-Headers": [
        ""
      ],
      "Content-Type": [
        "text/plain; charset=utf-8"
      ],
      "Access-Control-Allow-Credentials": [
        "true"
      ],
      "Cf-Cache-Status": [
        "DYNAMIC"
      ],
      "Cf-Ray": [
        "9465ac587aff1e6a-FRA"
      ]
    }
  }
]

the request on the plausible-host does not contain that information, but the nuxt host's internal ip (10.0.1.1) and it's nat gateway's public ip (123.123.123.123).

{
  "level": "info",
  "ts": 1748350595.9751575,
  "logger": "http.log.access.log0",
  "msg": "handled request",
  "request": {
    "remote_ip": "172.70.247.10",
    "remote_port": "39954",
    "client_ip": "172.70.247.10",
    "proto": "HTTP/2.0",
    "method": "POST",
    "host": "stats.example.com",
    "uri": "/api/event",
    "headers": {
      "Referer": [
        "https://example.com/"
      ],
      "Via": [
        "2.0 Caddy, 1.1 Caddy"
      ],
      "Accept-Language": [
        "de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"
      ],
      "Content-Type": [
        "text/plain"
      ],
      "Cf-Ray": [
        "9465ac587aff1e6a-FRA"
      ],
      "User-Agent": [
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36"
      ],
      "X-Forwarded-For": [
        "10.0.1.1,123.123.123.123"
      ],
      "Cf-Connecting-Ip": [
        "123.123.123.123"
      ],
      "Cf-Visitor": [
        "{\"scheme\":\"https\"}"
      ],
      "Dnt": [
        "1"
      ],
      "Cf-Ipcountry": [
        "DE"
      ],
      "Cdn-Loop": [
        "cloudflare; loops=2"
      ],
      "Accept": [
        "*/*"
      ],
      "X-Forwarded-Proto": [
        "https"
      ],
      "Origin": [
        "https://example.com"
      ],
      "Sec-Ch-Ua": [
        "\"Not.A/Brand\";v=\"99\", \"Chromium\";v=\"136\""
      ],
      "Sec-Ch-Ua-Platform": [
        "\"macOS\""
      ],
      "Sec-Fetch-Mode": [
        "cors"
      ],
      "X-Forwarded-Host": [
        "example.com"
      ],
      "Priority": [
        "u=1, i"
      ],
      "Accept-Encoding": [
        "gzip, br"
      ],
      "Sec-Ch-Ua-Mobile": [
        "?0"
      ],
      "Cookie": [
        "REDACTED"
      ],
      "Sec-Fetch-Dest": [
        "empty"
      ],
      "Content-Length": [
        "90"
      ],
      "Sec-Fetch-Site": [
        "same-origin"
      ]
    },
    "tls": {
      "resumed": false,
      "version": 772,
      "cipher_suite": 4865,
      "proto": "h2",
      "server_name": "stats.example.com"
    }
  },
  "bytes_read": 90,
  "user_id": "",
  "duration": 0.005371119,
  "size": 2,
  "status": 202,
  "resp_headers": {
    "Content-Type": [
      "text/plain; charset=utf-8"
    ],
    "X-Request-Id": [
      "GENjmpfEStEPXzoAAIRC"
    ],
    "Cache-Control": [
      "max-age=0, private, must-revalidate"
    ],
    "Access-Control-Allow-Credentials": [
      "true"
    ],
    "Alt-Svc": [
      "h3=\":443\"; ma=2592000"
    ],
    "Date": [
      "Tue, 27 May 2025 12:56:35 GMT"
    ],
    "Access-Control-Allow-Origin": [
      "*"
    ],
    "Access-Control-Expose-Headers": [
      ""
    ],
    "Content-Length": [
      "2"
    ]
  }
}

So for now, all my users come from Iran (as the IP is geolocated there).

Is there any way to change this?

[ahoiroman]

For now, if anyone else experiences the same issue, I am using this proxy config for caddy:

        @plausible path /_clt/api/event
        handle @plausible {
                uri strip_prefix /_clt

                reverse_proxy https://stats. example.com {
                        header_up X-Real-IP {http.request.header.CF-Connecting-IP}
                        header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
                        header_up CF-Connecting-IP {http.request.header.CF-Connecting-IP}
                        header_up X-Forwarded-Proto {scheme}
                        header_up Host {http.reverse_proxy.upstream.hostport}
                }
        }

[jellenijhof12]

I'm having the same problem, when I turn on the proxy mode all the IP's that are sent to plausible is the IP from my Nuxt deployment.

[johannschopplich]

This is now fixed. The root cause was that h3's getRequestIP() checks event.context.clientAddress before reading any proxy headers. When Nuxt runs behind an internal reverse proxy (like Caddy in a Docker network), the runtime sets clientAddress to the socket's remote address (e.g. 10.0.1.1), so the real client IP from X-Forwarded-For or CF-Connecting-IP was never read.

The proxy event handler now reads CDN/reverse proxy headers directly in this order:

1. CF-Connecting-IP (Cloudflare)
2. X-Real-IP (Nginx and other proxies)
3. X-Forwarded-For (first IP in the chain)
4. Falls back to h3's getRequestIP() if none are present

Reference: a346390