If your cPanel server is configured with Apache + nginx as reverse proxy then the Apache access_log will not show the real IP address ( visitor’s IP address ), instead it shows server IP address. Due to this we cannot block the IPs that causing bruteforce attack. or we can’t determine the IP address that consuming high bandwidth.
Here I will explain how we can enable real IP login. For this, the installed Apache should need mod_remoteip or mod_rpaf module, here I will use mod_remoteip.
To install the mod_remoteip module please refer the link https://documentation.cpanel.net/display/EA/Custom+Modules
After the module installation, make sure that all the server IP address is listed in remoteip.conf and the format is as follows
LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPInternalProxy ………repeat it for all the IPs in the server
and then add ” real_ip_recursive on; ” at the end of /etc/nginx/proxy.inc file
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
after that directly edit following files.
sed -i.original -e ‘s/\(logformat.*\)%h\(.*\)/\1%a\2/’ /var/cpanel/conf/apache/main
sed -i.original -e ‘s/\(.*\)%h \(.* combinedvhost.*\)/\1%a \2/’ /usr/local/cpanel/Cpanel/AdvConfig/apache.pm
This will ensure that %h is replaced with %a for the combinedvhost LogFormat entry (in addition to the other LogFormat entries) in httpd.conf
This will get overwritten after a upcp, so you may want to put these instructions in a script and add that script to /usr/local/cpanel/scripts/postupcp
Finally rebuild and restart the services.
service nginx restart
service httpd restart