How to use Cloudflare and not throttle it

What do you mean?
If you’re using CF and its features every visitor is coming from CF’s IP range or did I misunderstand you here?

Hi,

My hunch is that having the CloudFlare WordPress Plugin installed will help with this (will restore the visitor IP at the WordPress level, if that’s how the plugin is working).

I personally haven’t really seen any issues with this at this time, but I would be interested in hearing what WordFence has to say.

To Ovidiu,
When using a server with mod_cloudflare, the true IPs are visible. I have not used the Cloudflare plugin for this, as its intent seems to be to monitor the Cloudflare IP setup. Spammers aren’t my concern; it’s people trying to overload the server. I did see that Wordfence allows specified IPs to be ignored, but Cloudflare has many. That seems like the real solution.

as far as I understand it works this way:

1) visitor asks CF to serve your site
2) CF asks your server for your site
3) CF tells your server in a header something like X-Forwarded-For or CF-Connecting-IP who was actually asking for your site
4) your server serves your site to CF
5) CF serves your site to the visitor

of course depending on the CF features you activated there is a lot of optimizing and caching going on in-between.

BUT your server will only see contact from the CF IP range and not actually get in touch with the requesting visitor’S IP.

@david: you didn’t mention mod_cloudflare earlier, you just said CF, not sure how this solution differs from having CF handle your domains and acting as a CDN…

Just checked the description though:

Description
Because CloudFlare acts as a proxy, you will notice changes to the way that your website visitors’ IP addresses are displayed both in your server logs and web applications – notably that all access appears to be coming from CloudFlare IP addresses. You can read more about the reasons for this in our knowledge base article.

You can change this behavior and log & display the actual visitor IP addresses by using mod_cloudflare.

Based on that, saying: display the actual visitor IP, I still think my explanation is right, i.e. all contact comes from CF’s IP range except your logging will show the real visitor’s IP.

But again, I might be wrong…

Logging shows only the CF IP numbers unless mod_cloudflare is installed. This URL has some nice graphics on the issue:
https://support.cloudflare.com/hc/en-us/articles/200170916-Why-should-I-install-mod-cloudflare- Without mod_cloudflare, your first post is right; you only see the CF IPs.

At this point, I’ll close this thread. From my review, it does seem Wordfence supports my concern, but I would need to enter all CF IPs. Thanks for your feedback.
david

This subject having been a question for me, I appreciate this thread…

And in looking into it some more… My host has mod_cloudflare set up on all its shared servers and most of its dedicated ones…

Additionally I found here:
https://blog.cloudflare.com/top-tips-for-new-cloudflare-users item three on the page
that the WP cloudflare plugin does the same, passes through the the original IP addresses…

“And in looking into it some more… My host has mod_cloudflare set up on all its shared servers and most of its dedicated ones..”

All of our hosting partners should have mod_cloudflare installed on their servers already. The only thing I would have them check, if you see an issue, is that they have mod_cloudflare set with CloudFlare’s IPs (just in the event they are using an older version). We have updated some new ip ranges on that page recently.

I will query my host, and thanks, neat to see that Cloudflare watches these threads…
??