mod_cloudflare vs mod_remoteip

[caisc]

Hi,

Recently came through a nice guide at - devside.net/wamp-server/installing-mod_cloudflare-apache-module-to-get-real-visitor-ip-addresses

It says mod_remoteip is better solution than mod_cloudflare

What do experts say on pros and cons.

Thanks

 

[vacancy]

There is no difference.

The work done in the mod_remoteip and mod_cloudflare extensions is to execute the function X-Forwarded-For.

You can choose any.

 

[caisc]

@vacancy Thanks for the update.

I have EasyApache4 with cloudlinux 7 on server.

Did EasyApache and installed mod_remoteip on the server.

[email protected] [~]# httpd -M | grep remoteip
remoteip_module (shared)
[email protected] [~]#


Now do I need to put some extra configuration in this file at location - /etc/apache2/conf.modules.d/360_mod_remoteip.conf

Like -
RemoteIPHeader X-Real-IP
RemoteIPInternalProxy SERVER_IP_ADDRESS

Replace the SERVER_IP_ADDRESS with your server IP address.

Thanks

 

[vacancy]

One last step is needed.

Apache configuration > Include editor > Pre main Include / All versions

The following codes should be added.

<IfModule remoteip_module>
  RemoteIPHeader X-Forwarded-For
</IfModule>
<IfModule log_config_module>
  LogFormat "%{Referer}i -> %U" referer
  LogFormat "%{User-agent}i" agent
  LogFormat "%a %l %u %t \"%r\" %>s %b" common
  LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  CustomLog logs/access_log combined
</IfModule>

 

[caisc]

Thanks completed the last step as mentioned and restarted Apache.

Now the real abusing IPs hidden behind cloudflare will be logged and will be blocked in CSF firewall as per rules defined in CSF firewall and mod_security rules. Right?

 

[vacancy]

No.

Csf and similar softwares, read netstat data.

The x-forwarded-for function is only valid for traffic to the webserver.

It can do it mod_evasive.

 

[caisc]

So this will only log the real IP of the user who access the site hosted on my server via cloudflare or any other proxy network.
plz confirm.

 

[vacancy]

Yes.

Csf and similar firewalls that you use will operate according to the unix netstat data. The x-forwarded-for module is not a unix core module, but a webserver module.

 

[cPanelMichael]

Hello,

It looks like this topic is now solved. Let us know if you have any additional questions.

Thank you.

 

[rogerw]

What was the solution?
How can we pass the x-forwarded-for to CSF?

 

[cPanelMichael]

What was the solution?
How can we pass the x-forwarded-for to CSF?

Hello @rogerw,

It's not supported. Here's the quote from earlier in this thread that answers this question:

Yes.

Csf and similar firewalls that you use will operate according to the unix netstat data. The x-forwarded-for module is not a unix core module, but a webserver module.

Thank you.

 

[linuxman1]

What was the solution?
How can we pass the x-forwarded-for to CSF?

Yes you can, CSF LF_MODSEC will read mod-security logs from Apache and can block attacking ip addresses via iptables when you use mod_remoteip BUT, this will not help at all when you use CloudFlare! I had to search for more than one hour to find a good solution for this issue but can't so I have to disable CloudFlare so I can benefit from CSF and mod-security blocking, take this snippet from CSF docs and you will understand the issue.
--------------------
CloudFlare
This features provides interaction with the CloudFlare Firewall
As CloudFlare is a reverse proxy, any attacking IP addresses (so far as
iptables is concerned) come from the CloudFlare IP's. To counter this, an
Apache module (mod_cloudflare) is available that obtains the true attackers
IP from a custom HTTP header record (similar functionality is available
for other HTTP daemons
However, despite now knowing the true attacking IP address, iptables cannot
be used to block that IP as the traffic is still coming from the CloudFlare
servers
CloudFlare have provided a Firewall feature within the user account where
rules can be added to block, challenge or whitelist IP addresses
Using the CloudFlare API, this feature adds and removes attacking IPs from
that firewall and provides CLI (and via the UI) additional commands
See /etc/csf/readme.txt for more information about this feature and the
restrictions for its use BEFORE enabling this feature
-----------------------------------------------------------------------------------------------------
And I found the recommended solution by CSF docs isn't easy to be done for every client, so I had to disable CloudFlare for now.

 

[rogerw]

Yes you can, CSF LF_MODSEC will read mod-security logs from Apache and can block attacking ip addresses via iptables when you use mod_remoteip...
...recommended solution by CSF docs isn't easy to be done for every client, so I had to disable CloudFlare for now.

Ah... I understand better. Thank you for following up, that is muchly appreciated!