Easiest way to install mod_cloudflare on latest CPanel since it's not available in EA?

quanin

Well-Known Member
Aug 18, 2011
127
7
68
cPanel Access Level
Root Administrator
Or, more appropriately, are there plans to include mod_cloudflare in EA4? Assuming the answer is no, what is a non-headache-inducing way to install mod_cloudflare on a CPanel server? I'm not a hosting partner, so CF's official plugin is out since I doubt they'll approve me. Suggestions are appreciated, up to and including something I have yet to find on Google (I'm just getting off a 10-hour shift).
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello @quanin

The simple answer to this is that you don't, mod_cloudflare is not even supported by CloudFlare at this point. What you should use is mod_remoteip which is also what CloudFlare Suggests:


https://support.cloudflare.com/hc/en-us/articles/200170916-Restoring-original-visitor-IPs-Option-1-Installing-mod-cloudflare said:
Cloudflare no longer updates and supports mod_cloudflare, starting with versions Debian 9 *and *Ubuntu 18.04 LTS of the Linux operating system. We now support mod_remoteip for customers using Apache web servers. Customers who are interested in building the mod_cloudflare package can download the codebase from GitHub.

mod_remoteip is available in the EA repository as well:
Code:
Name        : ea-apache24-mod_remoteip
Arch        : x86_64
Version     : 2.4.43
Release     : 1.1.1.cpanel
Size        : 41 k
Repo        : EA4/7/x86_64
Summary     : IP replacement module for the Apache HTTP Server
URL         : http://httpd.apache.org/
License     : ASL 2.0
Description : The mod_remoteip module is used to treat the useragent which initiated
            : the request as the originating useragent as identified by httpd for
            : the purposes of authorization and logging, even where that useragent
            : is behind a load balancer, front end server, or proxy server.
            :
            : The module overrides the client IP address for the connection with the
            : useragent IP address reported in the request header configured with
            : the RemoteIPHeader directive.
            :
            : Once replaced as instructed, this overridden useragent IP address is
            : then used for the mod_authz_host Require ip feature, is reported by
            : mod_status, and is recorded by mod_log_config %a and core %a format
            : strings. The underlying client IP of the connection is available in
            : the %{c}a format string.
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
621
202
343
cPanel Access Level
DataCenter Provider
@cPanelLauren but isn't mod_remoteip going to be difficult to setup in cPanel? You have to change the LogFormat statement?

Having said the above, it's getting more and more difficult to use CloudFlare on cPanel servers. Besides depreciating mod_cloudflare, they are using the cPanel API V1 for their cPanel plugin. When we opened a ticket with them, we were told that the plugin is also no longer being supported.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
The plugin isn't supported anymore, no, which is a bummer as I know a lot of people used it, that wasn't our decision though, it was theirs.

As far as enabling mod_remoteip for CloudFlare the instructions are indeed different than what they provide. I do miss the ease of their instructions for mod_cloudflare.

So, I believe the following should work (only including relevant steps):

1. Update the site configuration to include RemoteIPHeader CF-Connecting-IP
Using Modify Apache Virtual Hosts with Include Files | cPanel & WHM Documentation

Apply to all virtual hosts on the system

  • With and without SSL - /etc/apache2/conf.d/userdata/includename.conf
Alternatively you could modify the includes here:
  • With SSL
    • /etc/apache2/conf.d/userdata/ssl/2_4/includename.conf
    • /etc/apache2/conf.d/userdata/ssl/includename.conf
  • Without SSL
    • /etc/apache2/conf.d/userdata/std/2_4/includename.conf
    • /etc/apache2/conf.d/userdata/std/includename.conf
You'll add the following line:

RemoteIPHeader CF-Connecting-IP


  • After you create or edit an Apache include userdata file, you must rebuild the httpd.conf file and restart Apache for the changes to take effect.
    • To rebuild the httpd.conf file, run the following script:
      Code:
      /usr/local/cpanel/scripts/rebuildhttpdconf
    • To restart Apache, run the following script:
      Code:
      /usr/local/cpanel/scripts/restartsrv_httpd

2. Update combined LogFormat entry
  • This can be done at WHM>>Service Configuration>>Apache Configuration>>Global Configuration:
    • LogFormat (combined)
      • Default is: %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
    • LogFormat (common)
      • Default is: %h %l %u %t \"%r\" %>s %b
  • Note that all you're going to do is replace %h with %a so it should look like the following:
    • LogFormat (combined)
      Code:
      %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
    • LogFormat (common)
      Code:
      %a %l %u %t \"%r\" %>s %b
  • Ensure you click the checkbox for the customized version then click Save at the bottom of the page
  • A prompt will appear telling you what's been saved, confirm everything is as it should be
  • Select Rebuild Configuration and Restart Apache at the bottom of the page
3. Define trusted proxy addresses
  • This can be done through WHM>>Service Configuration>>Apache Configuration>>Include Editor -> Pre Main Include
  • Select All Versions
  • Add the following:
    Code:
    <IfModule mod_remoteip.c>
    RemoteIPHeader CF-Connecting-IP
    RemoteIPTrustedProxy 173.245.48.0/20
    RemoteIPTrustedProxy 103.21.244.0/22
    RemoteIPTrustedProxy 103.22.200.0/22
    RemoteIPTrustedProxy 103.31.4.0/22
    RemoteIPTrustedProxy 141.101.64.0/18
    RemoteIPTrustedProxy 108.162.192.0/18
    RemoteIPTrustedProxy 190.93.240.0/20
    RemoteIPTrustedProxy 188.114.96.0/20
    RemoteIPTrustedProxy 197.234.240.0/22
    RemoteIPTrustedProxy 198.41.128.0/17
    RemoteIPTrustedProxy 162.158.0.0/15
    RemoteIPTrustedProxy 104.16.0.0/12
    RemoteIPTrustedProxy 172.64.0.0/13
    RemoteIPTrustedProxy 131.0.72.0/22
    RemoteIPTrustedProxy 2400:cb00::/32
    RemoteIPTrustedProxy 2606:4700::/32
    RemoteIPTrustedProxy 2803:f800::/32
    RemoteIPTrustedProxy 2405:b500::/32
    RemoteIPTrustedProxy 2405:8100::/32
    RemoteIPTrustedProxy 2a06:98c0::/29
    RemoteIPTrustedProxy 2c0f:f248::/32
    </IfModule>
  • Click Update
  • Click Restart Apache


And that should be it!
I tried to keep you off the command line as much as I could and make this as straight forward as possible. Let me know if there are any issues with this though.
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
621
202
343
cPanel Access Level
DataCenter Provider
As I said, it's going to be a pain to setup :)

I did not mean to imply that cPanel was involved in any way with these decisions. I was just trying to point out that without mod_cloudflare and the cPanel modules, it's more difficult for most hosts to easily deal with CloudFlare.
 

quanin

Well-Known Member
Aug 18, 2011
127
7
68
cPanel Access Level
Root Administrator
@cPanelLauren, thanks for the instructions. Command line usage doesn't really bother me (I actually prefer that), but I've learned over the years that if I can do it in WHM I'll have less of an excuse to drink later when CPanel decides to argue with me. I was more asking about some kind of CF specific module/plugin because, as @ffeingol points out, Cloudflare and CPanel are a wee bit of a trick to get to play nicely together. Mostly in terms of making sure I catch all the subdomains etc CPanel creates when I put something new on the server. I suppose worst case if I want a domain on Cloudflare I can cheat and use another DNS service first (either my provider's, or the local DNS server), so CF pulls in all the relevant junk properly, but I was mostly looking for a way not to have to. Lazy sysadmin is lazy.
 
  • Haha
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
As I said, it's going to be a pain to setup :)

I did not mean to imply that cPanel was involved in any way with these decisions. I was just trying to point out that without mod_cloudflare and the cPanel modules, it's more difficult for most hosts to easily deal with CloudFlare.
Yea it's a bit more difficult but not more steps than they list on their site if that's any consolation. It took me about 45 minutes to set up but most of that time was formatting the text in what I was writing out for you guys here. If I had to set it up just by itself without writing instructions, I think it wouldn't have taken maybe max 10 minutes. With these instructions, I am hoping anyone that uses them will take less.

@quanin this is the only supported method. You can still use mod_cloudflare but the instructions I provided should be everything you need to do with mod_remoteip, I went along as I was writing and enabled all this on my own server and can confirm its a good solution
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
And just a side note that the list of CloudFlare IP's is not 'fixed', so you'll want to check IP Ranges | Cloudflare every once in a while to insure your list matches their list.
Yep, which functions the same way with mod_cloudflare as well - they had the CloudFlareRemoteIPTrustedProxy list

Also to note, the third step on the mod_remoteip instructions is optional but I took it as the safer bet. Best to define what we trust if we know it ahead of time.
 

quanin

Well-Known Member
Aug 18, 2011
127
7
68
cPanel Access Level
Root Administrator
@cPanelLauren Oh, I gathered that much. And yes, your instructions are perfect--any chance we can get this included in the docs? What I was semi-complaining about is for new domains. Create domain on CPanel, create domain in Cloudflare, point DNS to Cloudflare won't work quite as nicely as I'd like due to all the extra cruft CPanel adds as subdomains that need to be migrated over as well. Just adds an extra step for me is all, but for new projects that's all of about 5 seconds plus propagation time. I'd rather avoid it, but what can ya do?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
@cPanelLauren Oh, I gathered that much. And yes, your instructions are perfect--any chance we can get this included in the docs? What I was semi-complaining about is for new domains. Create domain on CPanel, create domain in Cloudflare, point DNS to Cloudflare won't work quite as nicely as I'd like due to all the extra cruft CPanel adds as subdomains that need to be migrated over as well. Just adds an extra step for me is all, but for new projects that's all of about 5 seconds plus propagation time. I'd rather avoid it, but what can ya do?
Well from what I found, as far as create a domain in cloudflare it pulls all the domain information in the DNS zone into the CloudFlare UI - For example, when I was testing this for you yesterday:
Screen Shot 2020-04-17 at 12.31.02 PM.png

Keep in mind I removed all my domain and IP related information in this screenshot - this was definitely a newly created domain/account as I just bought it the other day to have a domain registered with google domains so I could familiarize myself with their interface

And yes, your instructions are perfect--any chance we can get this included in the docs?
I was going to request that we add it to our support docs at cPanel but it may be something I add to a new forum I'm adding here soon with community based how-to articles :)
 

quanin

Well-Known Member
Aug 18, 2011
127
7
68
cPanel Access Level
Root Administrator
Ah. So you did the step I was trying to avoid. Register the domain, park it with a DNS server that's fed by CPanel (or the CNS server local to CPanel), create the domain inside CPanel, then migrate DNS over to Cloudflare. I'd ideally like to cut out that middle step. Create the domain within CPanel, set it up in Cloudflare's DNS, and have it just... work. No Google Domains or other DNS service required.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Ah. So you did the step I was trying to avoid. Register the domain, park it with a DNS server that's fed by CPanel (or the CNS server local to CPanel), create the domain inside CPanel, then migrate DNS over to Cloudflare. I'd ideally like to cut out that middle step. Create the domain within CPanel, set it up in Cloudflare's DNS, and have it just... work. No Google Domains or other DNS service required.
Well, I had to register the domain, I'm not sure what you mean? I didn't need a 3rd party service, I just happened to have registered the domain with google because I'd wanted a domain with them (the purpose of that was so that I could accurately tell you guys how to navigate in there when asked). I just included that information so it was clear I used a new domain that hadn't been added to cPanel yet. The steps relevant to this were:

- Point NS for domain to my cPanel server​
- Create account for the domain in cPanel​
- Wait a bit for propagation​
- Add domain to CloudFlare​
- Update NS for domain to CloudFlare's NS​

If the domain had existed prior in cPanel it would have been a bit faster:

-Add domain to CloudFlare​
-Point NS to CloudFlare's NS​

Now, what was really nice about the CloudFlare plugin is that you didn't need to do any of that, it just added a CNAME record. I Found that CloudFlare does have a domain registrar Cloudflare Registrar | Domain Transfer | Cloudflare but I don't know if that will make things any easier as I haven't used it at all.
 

quanin

Well-Known Member
Aug 18, 2011
127
7
68
cPanel Access Level
Root Administrator
The short answer is no. The functionality you were describing from the Cloudflare plugin is close to what I was looking for--where it basically did all the actual moving things around for you. I mean, I had no problem changing my DNS settings, but if Cloudflare didn't scan my already existing DNS and pull in all the subdomains CPanel adds, I'd have probably missed something.

also and because the question was implied, Cloudflare's registrar would be no help there at all. You apparently can't actually change your DNS info with them. It's either Cloudflare's DNS or nothing.

 
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
That link seems to just be someone confused about how to go back to using their registrar's DNS which is super easy for most providers. You don't need CloudFlare at all to do that. It didn't look like they had their domain registered with CloudFlare at all though.
 

piyushmaheswari

Well-Known Member
Apr 18, 2020
74
2
8
India
cPanel Access Level
Root Administrator
Sir please reply on this thread -
 

thewebexpert

Member
May 6, 2013
9
1
53
cPanel Access Level
Root Administrator
The plugin isn't supported anymore, no, which is a bummer as I know a lot of people used it, that wasn't our decision though, it was theirs.

As far as enabling mod_remoteip for CloudFlare the instructions are indeed different than what they provide. I do miss the ease of their instructions for mod_cloudflare.

So, I believe the following should work (only including relevant steps):



Using Modify Apache Virtual Hosts with Include Files | cPanel & WHM Documentation

Apply to all virtual hosts on the system

  • With and without SSL - /etc/apache2/conf.d/userdata/includename.conf
Alternatively you could modify the includes here:
  • With SSL
    • /etc/apache2/conf.d/userdata/ssl/2_4/includename.conf
    • /etc/apache2/conf.d/userdata/ssl/includename.conf
  • Without SSL
    • /etc/apache2/conf.d/userdata/std/2_4/includename.conf
    • /etc/apache2/conf.d/userdata/std/includename.conf
You'll add the following line:

RemoteIPHeader CF-Connecting-IP


  • After you create or edit an Apache include userdata file, you must rebuild the httpd.conf file and restart Apache for the changes to take effect.
    • To rebuild the httpd.conf file, run the following script:
      Code:
      /usr/local/cpanel/scripts/rebuildhttpdconf
    • To restart Apache, run the following script:
      Code:
      /usr/local/cpanel/scripts/restartsrv_httpd



  • This can be done at WHM>>Service Configuration>>Apache Configuration>>Global Configuration:
    • LogFormat (combined)
      • Default is: %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
    • LogFormat (common)
      • Default is: %h %l %u %t \"%r\" %>s %b
  • Note that all you're going to do is replace %h with %a so it should look like the following:
    • LogFormat (combined)
      Code:
      %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
    • LogFormat (common)
      Code:
      %a %l %u %t \"%r\" %>s %b
  • Ensure you click the checkbox for the customized version then click Save at the bottom of the page
  • A prompt will appear telling you what's been saved, confirm everything is as it should be
  • Select Rebuild Configuration and Restart Apache at the bottom of the page


  • This can be done through WHM>>Service Configuration>>Apache Configuration>>Include Editor -> Pre Main Include
  • Select All Versions
  • Add the following:
    Code:
    <IfModule mod_remoteip.c>
    RemoteIPHeader CF-Connecting-IP
    RemoteIPTrustedProxy 173.245.48.0/20
    RemoteIPTrustedProxy 103.21.244.0/22
    RemoteIPTrustedProxy 103.22.200.0/22
    RemoteIPTrustedProxy 103.31.4.0/22
    RemoteIPTrustedProxy 141.101.64.0/18
    RemoteIPTrustedProxy 108.162.192.0/18
    RemoteIPTrustedProxy 190.93.240.0/20
    RemoteIPTrustedProxy 188.114.96.0/20
    RemoteIPTrustedProxy 197.234.240.0/22
    RemoteIPTrustedProxy 198.41.128.0/17
    RemoteIPTrustedProxy 162.158.0.0/15
    RemoteIPTrustedProxy 104.16.0.0/12
    RemoteIPTrustedProxy 172.64.0.0/13
    RemoteIPTrustedProxy 131.0.72.0/22
    RemoteIPTrustedProxy 2400:cb00::/32
    RemoteIPTrustedProxy 2606:4700::/32
    RemoteIPTrustedProxy 2803:f800::/32
    RemoteIPTrustedProxy 2405:b500::/32
    RemoteIPTrustedProxy 2405:8100::/32
    RemoteIPTrustedProxy 2a06:98c0::/29
    RemoteIPTrustedProxy 2c0f:f248::/32
    </IfModule>
  • Click Update
  • Click Restart Apache


And that should be it!
I tried to keep you off the command line as much as I could and make this as straight forward as possible. Let me know if there are any issues with this though.
THANK YOU SO MUCH!!!!
 

piyushmaheswari

Well-Known Member
Apr 18, 2020
74
2
8
India
cPanel Access Level
Root Administrator
The plugin isn't supported anymore, no, which is a bummer as I know a lot of people used it, that wasn't our decision though, it was theirs.

As far as enabling mod_remoteip for CloudFlare the instructions are indeed different than what they provide. I do miss the ease of their instructions for mod_cloudflare.

So, I believe the following should work (only including relevant steps):



Using Modify Apache Virtual Hosts with Include Files | cPanel & WHM Documentation

Apply to all virtual hosts on the system

  • With and without SSL - /etc/apache2/conf.d/userdata/includename.conf
Alternatively you could modify the includes here:
  • With SSL
    • /etc/apache2/conf.d/userdata/ssl/2_4/includename.conf
    • /etc/apache2/conf.d/userdata/ssl/includename.conf
  • Without SSL
    • /etc/apache2/conf.d/userdata/std/2_4/includename.conf
    • /etc/apache2/conf.d/userdata/std/includename.conf
You'll add the following line:

RemoteIPHeader CF-Connecting-IP


  • After you create or edit an Apache include userdata file, you must rebuild the httpd.conf file and restart Apache for the changes to take effect.
    • To rebuild the httpd.conf file, run the following script:
      Code:
      /usr/local/cpanel/scripts/rebuildhttpdconf
    • To restart Apache, run the following script:
      Code:
      /usr/local/cpanel/scripts/restartsrv_httpd



  • This can be done at WHM>>Service Configuration>>Apache Configuration>>Global Configuration:
    • LogFormat (combined)
      • Default is: %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
    • LogFormat (common)
      • Default is: %h %l %u %t \"%r\" %>s %b
  • Note that all you're going to do is replace %h with %a so it should look like the following:
    • LogFormat (combined)
      Code:
      %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
    • LogFormat (common)
      Code:
      %a %l %u %t \"%r\" %>s %b
  • Ensure you click the checkbox for the customized version then click Save at the bottom of the page
  • A prompt will appear telling you what's been saved, confirm everything is as it should be
  • Select Rebuild Configuration and Restart Apache at the bottom of the page


  • This can be done through WHM>>Service Configuration>>Apache Configuration>>Include Editor -> Pre Main Include
  • Select All Versions
  • Add the following:
    Code:
    <IfModule mod_remoteip.c>
    RemoteIPHeader CF-Connecting-IP
    RemoteIPTrustedProxy 173.245.48.0/20
    RemoteIPTrustedProxy 103.21.244.0/22
    RemoteIPTrustedProxy 103.22.200.0/22
    RemoteIPTrustedProxy 103.31.4.0/22
    RemoteIPTrustedProxy 141.101.64.0/18
    RemoteIPTrustedProxy 108.162.192.0/18
    RemoteIPTrustedProxy 190.93.240.0/20
    RemoteIPTrustedProxy 188.114.96.0/20
    RemoteIPTrustedProxy 197.234.240.0/22
    RemoteIPTrustedProxy 198.41.128.0/17
    RemoteIPTrustedProxy 162.158.0.0/15
    RemoteIPTrustedProxy 104.16.0.0/12
    RemoteIPTrustedProxy 172.64.0.0/13
    RemoteIPTrustedProxy 131.0.72.0/22
    RemoteIPTrustedProxy 2400:cb00::/32
    RemoteIPTrustedProxy 2606:4700::/32
    RemoteIPTrustedProxy 2803:f800::/32
    RemoteIPTrustedProxy 2405:b500::/32
    RemoteIPTrustedProxy 2405:8100::/32
    RemoteIPTrustedProxy 2a06:98c0::/29
    RemoteIPTrustedProxy 2c0f:f248::/32
    </IfModule>
  • Click Update
  • Click Restart Apache


And that should be it!
I tried to keep you off the command line as much as I could and make this as straight forward as possible. Let me know if there are any issues with this though.
I want to add CloudFlare option in CPanel , if I follow these steps then will it add CloudFlare option in CPanel ?
Or do I need to do something more ?