I should say that I am still calling it Piwik even though the project is renamed to Matomo for ages. https://matomo.org/

After switching my site to Cloudflare CDN, I noticed that the IPs showing are no longer the clients IPs, but the ones from Cloudflare, which is similar to running a site behind a reverse proxy (in essence I assume Cloudflare is doing exactly that). This require a small config change in piwik to evaluate the client IP correctly. (the same solution can be applied as for a regular reverse proxy, but Cloudflare provides a specific header field for that).

Add the following lines to the end of the config/config.ini.php file:

[General]
proxy_client_headers[] = "CF_CONNECTING_IP"

If the [General] section already appears in your config, just add the 2nd line to the section.

For some reason this is not enough since it breaks the form security of the login form, so if you get this error message:

Error: Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must configure Piwik to accept the proxy header that forwards the Host header. Also, check that your Referrer header is sent correctly. you might need to clear cookies or login again (not sure what I did, after a few reloads it worked.

This way the proper IPs should appear in the analytics.

When using Matomo Tag Manager, the JS file is cached too long in some cases if you make changes for the tag configuration so that the new version does not load. I tried to debug that but I am not sure yet, you can do a purge cache in Cloudflare to get the new file or use a r=(random) parameter in the tag. Tthis is best for development, I would not do that in a live env I guess. Maybe you can also do some redirect to a url with a random parameter in a rewrite rule for a dev environment so that you do not have to change the site code. Then again you could just turn off caching for the dev site (which I don't do since my whole site is kind of devtest).

To check which version of the tag container is live, you can look at the URL http://site/piwik/js/container_codeabc.js and check for the revision parameter in the embedded JSON object. The revision matches the revision in the tag manager, it also mentions the version name you have given.

window.MatomoTagManager.addContainer({"id":"codeabc","idsite":6,"versionName":"v12","revision":12,"environment":"live",