Help for configure mod_remoteip for CloudFlare, I don't know the correct method

[wonder_wonder]

Hi,
At the first time, sorry if this thread is better in subforum EasyApache, but I'm not sure if like is for cloudflare, is better here or in subforum EA.

Well, in the last days I read a lot for configure mod_remoteip for cloudflare, and unfortunately for me, it is not my forte and I have not reached any conclusion or method to do so.

At the first, I read the cloudflare instructions:
https://support.cloudflare.com/hc/en-us/articles/360029696071
Point 2, I don't know how made and not view the file /etc/apache2/sites-available/000-default.conf, is for virtualhost, this is new for me.
Point 4, also, in the patch: /etc/apache2/conf-available/remoteip.conf The folder .../conf-available/... not exist....

I think are old instructions or...

Continue search and reading, I view this threads:
https://forums.cpanel.net/threads/configure-mod_remoteip-for-cloudflare.640101/
https://forums.cpanel.net/threads/mod_cloudflare-vs-mod_remoteip.594783/
https://forums.cpanel.net/threads/problem-with-mod_remoteip.536891/
https://forums.cpanel.net/threads/visitor-ips-in-logs-using-cloudflare.594027/

I read alls, some are olds and/or versions differents at me, others, are for cloud (and I have a VPS), finally, I think this is the correct and most similar to me:
https://forums.cpanel.net/threads/visitor-ips-in-logs-using-cloudflare.594027/

First step, need added the code below , in /etc/apache2/conf/httpd.conf

I go to file /etc/apache2/conf/httpd.conf

At the end of this file appears/indicate this:

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
#   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#   DO NOT EDIT. AUTOMATICALLY GENERATED.  USE INCLUDE FILES IF YOU NEED TO MAKE A CHANGE
#   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

Uops, "Do not edit..."
If are indicate it in capital letters and well specified, it has its importance, therefore, I stop and do not edit it ...

Conclusion: Something that surely is relatively easy, my knowledge in this aspect specifically is very low and I see that, I don't know how to do something that, apparently, is easy ...

Thanks in advance

 

[wonder_wonder]

Well, after continue read and search and understand the changes, I view (or think) isn't difficult, I made this steps:
WHM-Apache Configuration-Include Editor-Pre Main Include (select all versions), and insert this code:

<IfModule !mod_remoteip.c>
LoadModule remoteip_module modules/mod_remoteip.so
</IfModule>

<IfModule mod_remoteip.c>
# CloudFlare Header
RemoteIPHeader CF-Connecting-IP

# Trusted Proxy List
# note - using RemoteIPTrustedProxy instead of RemoteIPInternalProxy
# note - RemoteIPTrustedProxy does NOT trust Header provided private intranet addresses (local and LAN addresses)
# note - RemoteIPInternalProxy is a security risk when using an external Proxy

# CloudFlare IPv4 Address Ranges
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/12
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22

# CloudFlare IPv6 Address Ranges
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32
</IfModule>

After this, also in WHM-Apache Configuration-Global Configuration I change in LogFormat (combined) the value %h to %a
Finally, this is the config in this field for LogFormat (combined):

%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"

Rebuild and restart apache.

When enter in terminal this:

netstat -an | egrep ':80|:443' | grep ESTABLISHED | awk '{print $5}' | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq -c | sort -nr

Continue appears the cloudflare ip's...

I think this steps are the correct steps for configure mod_remoteip for cloudflare but...for me, not work....
I try others configs but any work and I think (its possible error for me) this is the good config...

Thanks and regards.

 

[rackaid]

mod_remoteip only impacts Apache's IP address. The module basically takes the CF-Connecting-IP value and copies it over to the Remote Addr variable.

Netstat is looking at your network stack. So that will always show Cloudflare IPs. If you check your Apache logs, you should see the original visitor IP.

 

[wonder_wonder]

OK thanks!
I have not looked at the apache logs, I have only looked through netstat.
I understand then that my configuration is correct, then I will look at the apache logs.
If so, is there any way to see through netstat (or another command) the connections that are in the moment with each real ip? In the same way I see it with netstat, but in some other way.
I ask this because, for example, the other day I had a ddos attack, and it went very well (cloudflare deactivated) to see how many connections per ip there were at that time, and I was able to take the necessary measures against the IP's that had many simultaneous connections.

Thanks and best regards.

 

[cPanelLauren]

This will count the number of connections per IP address - looking at only ports 443 and 80, TCP or UDP, and their current STATE excluding LISTEN

netstat -plan |egrep ':80|:443'|grep -v LISTEN |awk '{print $1,$5,$6}' |uniq -c |sort -rn

If you just wanted the IP and the count something like this would work:

netstat -plan |egrep ':80|:443'|grep -v LISTEN |awk '{print $5}' |cut -d: -f1| sort |uniq -c |sort -rn

 

[wonder_wonder]

Thanks @cPanelLauren !
I view its better option that you indicate that my last netstat line.

Yes I want view the number of connections per ip address.

Thanks for your indications about netstat.

But two doubts:

With the first line, I view ip4 and ip6 (complete) connections, with the second, of ip6 only the first part.

Also, with this, I view the CloudFlare ip's (with netstat) in apache logs, yes, I view the real ip, its possible view the real ip with netstat?

Thanks and regards!

 

[rackaid]

Netstat looks at the network stack. From the network standpoint, the CF IP is the client side of the connection, so the CF IP is what you will see. You will not see the web visitors IP. The web visitor IP is contained as a HTTP Header. That is how Apache an extract the data.

If the Cloudflare analytics are not giving you a clear picture of who's connecting, you can then check your Apache logs. Extract the IP addresses and total them up. See who's connecting the most. If that is from a country, you can use Cloudflare's rules to put a JS or Captcha Challenge for those countries. I use their browser challenge feature for China, Russia, and Ukraine.

 

[wonder_wonder]

Thanks for the reply @rackaid .

The reason for wanting to see the simultaneous connections under the same ip comes because, a few days ago, I deduce I had an attack ddos (I had no cloudflare activated for other reasons) with netstat I could see how some ip's had more than 500 connections, I proceeded to block them and I was able to solve the attack (or if it wasn't an attack, whatever they were doing). Something similar had never happened to me, and from terminal, with netstat I could quickly see what was happening and see that ip's had a high number of simultaneous connections, and how netstat orders them by amount of simultaneous connections ... they appear above its list .

Indeed I can see it through the Apache logs, or if I access cpanel in visitors, but the information that gives netstat in real time is very good, if I access the Apache logs I must search, look, analyze if that is what is happening ...etc...

I did not know the function of CloudFlare that you comment, on the subject of countries, in the comments of the other day, nor did I notice what country it was, just block the IP's from the csf.

Again, thanks!