Activate licensing in a failover scenario

[koda]

We have 2 servers with IPs 1.2.3.4 and 80.81.82.83 which will be facing the internet through a proxy with a single different IP: 200.201.202.203
So all traffic will be directed to this last IP (200...) and that server will then direct traffic to one of the two servers, based on a failover scenario. If the master 1.2.3.4 is down, the proxy will redirect to the slave 80.81.82.83
We bought a Cpanel license and connected it to the IP 200.201.202.203 that will be the public gateway, but trying to login to cpanel or WHM gives the "cannot login... IP changed" error.
How can we solve this? If we buy 2 licenses for 1.2.3.4 and 80.81.82.83, those servers will be reached only by the third IP (200..) in any case.

 

[cPanelMichael]

Hello

The licensed IP needs to be the IP address the server makes outgoing connections from. For instance, it's the IP address that's output when you run this command from the server:

lynx -dump http://www.cpanel.net/showip.cgi

Thank you.

 

[koda]

Thank you Michael you are kind as always. So in our scenario we should get 2 licenses for 1.2.3.4 and 80.81.82.83 even if the public "incoming" requests IP will be only one 200.201.202.203.
Also does cpanel experience any issue in a load balanced scenario? I mean if requests come through 200.201.202.203 but then are routed to 1.2.3.4 (our is not a proper load balancing but rather a failover scenario but there is a proxy in front the same).
Because I saw several access denied looking at network activity for the images and js/css files that are called from cpanel admin web page for example always on 200.201.202.203. The other guy working on it thught CPanel may have issues in this scenario since we had this "cannot login... IP changed" error and several 401 errors for static resources on CPanle/WHM admin pages (for css/js/images)

EDIT: We seem to have identified the issue in being that the proxy ahead of the two real servers, act as a reverse proxy, randomizing user requests among 2-3 IPs... (Totaluptime.com Cloud Load Balancing service). How could we overcome this in CPanel? Also it comes to my mind that addons like CPHulk blocking features should be disabled since every request comes as 2-3 IPs always and so all the various rate limits for IP. Or is there a way to tell WHM/CPanel to read the IP from an header for example (since we can customize this in the proxy to supply the original IP through an header). Does anyone have any experience on this scenario (reverse proxy in front of CPanel). Thanks in advance. We are using those as mail servers only (+ webmail)

 

[cPanelMichael]

You will need a valid cPanel license for each server, but ensure you open a ticket with our Customer Service team or email them at cs[@]cpanel.net if you are unable to open a ticket and they can provide additional license information. Regarding your second question, here are some threads where users discuss a similar issue (though it's for Apache logging):

Mod_Sec Detect Server IP
Logging clients' real IPs when using CloudFlare + Nginx + Apache
Information about X-Forwarded-for

Thank you.

 

[koda]

Thank you Michael,
since we'll be using those as mail servers only I think there will be major issues with black lists checks/spamassassin or CPHulk or everything else iP based, until a major tech renew will be implemented for reverse proxies and all the other application involved (like for example the proxy protocol or such).

 

[cPanelMichael]

You can disable cPHulk and utilize a third-party firewall application such as CSF if necessary. There are also several options that allow you to whitelist IP addresses at:

Exim Configuration Manager - Basic Editor - Documentation - cPanel Documentation

Thank you.