Determining real IP addresses of users

The "Detect users' real IP addresses" (Real IP) module allows the Nginx platform web server to correctly identify a client's IP address. This can be useful for logging, access restriction and other functions.

For example, a connection to the platform can be made through a reverse proxy server. A reverse proxy server relays client requests from the external network to one or more servers logically located on the internal network. If a user, who is allowed to authorize only from certain IP addresses, tries to connect to the platform through a reverse proxy server, the platform will block the authorization attempt. This is due to the fact that the connection will be registered from the IP address of the proxy server and not the real IP address of the user.

To allow authorization for such users, transfer to the platform a list of networks from which the server will receive headers with the user's real IP address.

If a user who is allowed to authorize only from certain IP addresses tries to connect to the platform through a reverse proxy server, the platform will block the authorization attempt. This is because the connection will be registered from the IP address of the proxy server, not the real IP address of the user.

You can do it only via API.

Configuring

Get the authorization token:
```
curl -k -X POST -H "accept: application/json" -H "Content-Type: application/json" 'https://domain.com/auth/v4/public/token' -d '{"email": "admin_email", "password": "admin_pass"}'
```
Comments to the command

domain.com — domain name or IP address of the server with the platform
admin_email — platform administrator's email
admin_pass — platform administrator's password

In response, you will get the message in the form:
Example of response in JSON
```
{
  "confirmed": true,
  "expires_at": null,
  "id": "6",
  "token": "4-e9726dd9-61d9-2940-add3-914851d2cb8a"
}
```
Save the received token value.
Perform a request of the form:
```
curl -k -X POST 'https://example.com/auth/v4/realip/trusted_servers' -d '{"header": "<proxy_set_header>", "ips": ["<network_1>","<network_2>","<network_3>",...,"<network_N>"]}' -H 'x-xsrf-token: <token>'
```
Comments

example.com — domain name or IP address of the server with the platform
<proxy_set_header> — value of the proxy_set_header directive in Nginx. In most cases, X-Forwarded-For or X-Real-IP will be fine. If you are using Cloudflare services, specify the value CF-Connecting-IP
<network_1>, <network_2>, <network_3>, <network_N> — reverse proxy networks. An up-to-date list of Cloudflare networks is available at https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6
<token> — authorization token
Example command
```
curl -k -X POST 'https://example.com/auth/v4/realip/trusted_servers' -d '{"header": "CF-Connecting-IP", "ips": ["173.245.48.0/20","103.21.244.0/22","103.22.200.0/22"]}' -H 'x-xsrf-token: 4-e9726dd9-61d9-2940-add3-914851d2cb8a'
```

To check the list of added networks, perform a request:

curl -k -X GET 'https://example.com/auth/v4/realip/trusted_servers' -H 'x-xsrf-token: <token>'

To delete the list of added networks, perform the request:

curl -k -X DELETE 'https://example.com/auth/v4/realip/trusted_servers' -H 'x-xsrf-token: <token>'

Comments to the commands

The article was last updated on 09.10.2025. The article was prepared by technical writers of ISPsystem