SymptomsIf you use CloudFlare for websites hosted in Panel with nginx installed, the access logs contain IP addresses of CloudFlare proxies instead of actual visitors' addresses.
As a consequence, web statistics does not contain information about visitors' IPs from CloudFlare, CloudFlare proxies IPs are shown instead.
CauseWhen CloudFlare accepts a request to a website, it redirects this request to the website including the visitor's IP address in the request's heading. Apache processes requests from CloudFlare with the mod_cloudflare module. To define whether a request is from CloudFlare, Apache uses the list of CloudFare proxies located in the /etc/httpd/conf.d/cloudflare.conf. By default, this list contains addresses of CloudFlare servers.
The mod_cloudflare module processes the request and adds the actual visitor's IP address to the access log.
If nginx is installed on the Panel server, it receives the request from CloudFlare first and then redirects it to Apache. Apache considers the request to be send not form CloudFlare since the sender's (nginx) IP address is not in the CloudFlare's proxies list. As a result, the access log contains the IP address of the CloudFlare server that redirected the request instead of the actual visitor's address.
ResolutionTo make Apache process requests from nginx as if they were sent from CloudFlare, add the localhost IP address 127.0.0.1 to the mod_cloudflare proxies list (/etc/httpd/conf.d/cloudflare.conf).
Important: When you add this address to the proxies list, Apache will process all requests as if they were sent from CloudFlare. This means, that malicious persons can hide their actual IP addresses by including another address in the request heading as CloudFare does.