Cloudflare shows user real IP in my site but not in the logs (CF IPs getting blocked by mod_qos)

[Bentok]

Hello,

I have fixed users real IP by help of cpanel and this link:

Restoring visitors IP with mod_remoteip

Introduction Sometimes you'll have traffic come from another source such as Cloudflare, another proxy source, or a dedicated firewall. Apache offers mod_remoteip which will allow you to restore the...

support.cpanel.net

But the problem is now that in the logs it still shows cloudflare IPs and when an attack happens mod_qos or evasive blocks cloudflare IPs instead of attackers IP, when disabling cloudflare then it works and shows real IPs in the logs, but not when it's under cloudflare protection.

Running this command and shows only cloudflare IPs with user connections:

netstat -plan|grep :443 |awk '{print $5}' | awk -F : '{print $(NF-1)}' | sort | uniq -c | sort -n

Wondering if there is any solution to fix that as well? appreciate the advice!

Best regards,

 

[cPRex]

Hey there! I don't think those particular modules can detect the true IP address. I would be curious to know why you're still seeing an attack even though you're using Cloudflare, as that should be absorbing that type of traffic for you.

 

[Bentok]

Hey there! I don't think those particular modules can detect the true IP address. I would be curious to know why you're still seeing an attack even though you're using Cloudflare, as that should be absorbing that type of traffic for you.

Yeah it didn't help actually so I moved to sucuri instead, it's great and helping.. cloudflare just becoming worse with high prices for such protection... any way thanks for the response!

It might be Irrelevant to this topic , is there any way to remove or replace cloudflare IPs to sucuri IP in nginx configurations? because when I put them in server-includes nginx gives error that it's duplicate because of cloudflare ips.. if I put them in cloudflare.conf then it resets.. so wondering if there is a settings there to fix this issue.. shouldn't cloudflare config placed in /etc/nginx/conf.d/includes_optional/cpanel-proxy-vendors/...

So user adds them by themselves or replace it with other IPs etc... that's really annoying... or is it any other way to fix it? really appreciate the advice! (currently, client IP shows only servers IP, I tried all sucuri's documentation for apache, but the problem here might be nginx as well...)

 

[cPRex]

I'm glad you found a solution that works for you. I don't personally have any experience with Sucuri so I can't comment on that, but you'll want to ensure you have the mod_remoteip package installed no matter what.

 

[Bentok]

I know, but because nginx is a reserve proxy, so the IP need to be added in nginx, but because of cloudflare IP is there so I can't add my other ips such as sucuri... it says it's duplicate.. that's the issue that cpanel added cloudflare IP to the server block by default.. not all users need cloudflare IPs.. so that's my issue for now. I don't need that inside the server block, if it was a customisation or some graphical on/off button for cloudflare that would be great so user can add their own IPs or cloudflare IPs.

I have moved some of my sites to plesk now, they are more customized than cpanel.

 

[cPRex]

Feel free to submit a feature request using the link in my signature if you'd like to see something added to the product and I'll bring it up during our weekly meeting!