vacancy

Well-Known Member
Sep 20, 2012
457
159
93
Turkey
cPanel Access Level
Root Administrator
There is no difference.

The work done in the mod_remoteip and mod_cloudflare extensions is to execute the function X-Forwarded-For.

You can choose any.
 
  • Like
Reactions: caisc

caisc

Well-Known Member
Oct 5, 2011
73
2
58
India
cPanel Access Level
Root Administrator
@vacancy Thanks for the update.

I have EasyApache4 with cloudlinux 7 on server.

Did EasyApache and installed mod_remoteip on the server.

[email protected] [~]# httpd -M | grep remoteip
remoteip_module (shared)
[email protected] [~]#


Now do I need to put some extra configuration in this file at location - /etc/apache2/conf.modules.d/360_mod_remoteip.conf

Like -
RemoteIPHeader X-Real-IP
RemoteIPInternalProxy SERVER_IP_ADDRESS


Replace the SERVER_IP_ADDRESS with your server IP address.

Thanks
 

vacancy

Well-Known Member
Sep 20, 2012
457
159
93
Turkey
cPanel Access Level
Root Administrator
One last step is needed.

Apache configuration > Include editor > Pre main Include / All versions

The following codes should be added.

Code:
<IfModule remoteip_module>
  RemoteIPHeader X-Forwarded-For
</IfModule>
<IfModule log_config_module>
  LogFormat "%{Referer}i -> %U" referer
  LogFormat "%{User-agent}i" agent
  LogFormat "%a %l %u %t \"%r\" %>s %b" common
  LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  CustomLog logs/access_log combined
</IfModule>
 

caisc

Well-Known Member
Oct 5, 2011
73
2
58
India
cPanel Access Level
Root Administrator
Thanks completed the last step as mentioned and restarted Apache.

Now the real abusing IPs hidden behind cloudflare will be logged and will be blocked in CSF firewall as per rules defined in CSF firewall and mod_security rules. Right?
 

vacancy

Well-Known Member
Sep 20, 2012
457
159
93
Turkey
cPanel Access Level
Root Administrator
No.

Csf and similar softwares, read netstat data.

The x-forwarded-for function is only valid for traffic to the webserver.

It can do it mod_evasive.
 
Last edited:

caisc

Well-Known Member
Oct 5, 2011
73
2
58
India
cPanel Access Level
Root Administrator
So this will only log the real IP of the user who access the site hosted on my server via cloudflare or any other proxy network.
plz confirm.
 

vacancy

Well-Known Member
Sep 20, 2012
457
159
93
Turkey
cPanel Access Level
Root Administrator
Yes.

Csf and similar firewalls that you use will operate according to the unix netstat data. The x-forwarded-for module is not a unix core module, but a webserver module.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

It looks like this topic is now solved. Let us know if you have any additional questions.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
What was the solution?
How can we pass the x-forwarded-for to CSF?
Hello @rogerw,

It's not supported. Here's the quote from earlier in this thread that answers this question:

Yes.

Csf and similar firewalls that you use will operate according to the unix netstat data. The x-forwarded-for module is not a unix core module, but a webserver module.
Thank you.
 

linuxman1

Member
Aug 25, 2017
14
0
1
Egypt
cPanel Access Level
Root Administrator
What was the solution?
How can we pass the x-forwarded-for to CSF?
Yes you can, CSF LF_MODSEC will read mod-security logs from Apache and can block attacking ip addresses via iptables when you use mod_remoteip BUT, this will not help at all when you use CloudFlare! I had to search for more than one hour to find a good solution for this issue but can't so I have to disable CloudFlare so I can benefit from CSF and mod-security blocking, take this snippet from CSF docs and you will understand the issue.
--------------------
CloudFlare
This features provides interaction with the CloudFlare Firewall
As CloudFlare is a reverse proxy, any attacking IP addresses (so far as
iptables is concerned) come from the CloudFlare IP's. To counter this, an
Apache module (mod_cloudflare) is available that obtains the true attackers
IP from a custom HTTP header record (similar functionality is available
for other HTTP daemons
However, despite now knowing the true attacking IP address, iptables cannot
be used to block that IP as the traffic is still coming from the CloudFlare
servers
CloudFlare have provided a Firewall feature within the user account where
rules can be added to block, challenge or whitelist IP addresses
Using the CloudFlare API, this feature adds and removes attacking IPs from
that firewall and provides CLI (and via the UI) additional commands
See /etc/csf/readme.txt for more information about this feature and the
restrictions for its use BEFORE enabling this feature
-----------------------------------------------------------------------------------------------------
And I found the recommended solution by CSF docs isn't easy to be done for every client, so I had to disable CloudFlare for now.
 

rogerw

Member
Feb 21, 2012
23
4
53
cPanel Access Level
Website Owner
Yes you can, CSF LF_MODSEC will read mod-security logs from Apache and can block attacking ip addresses via iptables when you use mod_remoteip...
...recommended solution by CSF docs isn't easy to be done for every client, so I had to disable CloudFlare for now.
Ah... I understand better. Thank you for following up, that is muchly appreciated!