Mod_remoteip and real IP login in access log

If your cPanel server is configured with Apache + nginx as reverse proxy then the Apache access_log will not show the real IP address ( visitor’s IP address ), instead it shows server IP address. Due to this we cannot block the IPs that causing bruteforce attack. or we can’t determine the IP address that consuming high bandwidth.

Here I will explain how we can enable real IP login. For this, the installed Apache should need mod_remoteip or mod_rpaf module, here I will use mod_remoteip.
To install the mod_remoteip module please refer the link

After the module installation, make sure that all the server IP address is listed in remoteip.conf and the format is as follows


LoadModule remoteip_module modules/
#Mod_remoteip settings
RemoteIPHeader X-Real-IP
#RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy ………repeat it for all the IPs in the server

and then add ” real_ip_recursive on; ” at the end of /etc/nginx/ file

proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

after that directly edit following files.

sed -i.original -e ‘s/\(logformat.*\)%h\(.*\)/\1%a\2/’ /var/cpanel/conf/apache/main
sed -i.original -e ‘s/\(.*\)%h \(.* combinedvhost.*\)/\1%a \2/’ /usr/local/cpanel/Cpanel/AdvConfig/

This will ensure that %h is replaced with %a for the combinedvhost LogFormat entry (in addition to the other LogFormat entries) in httpd.conf

This will get overwritten after a upcp, so you may want to put these instructions in a script and add that script to /usr/local/cpanel/scripts/postupcp
Finally rebuild and restart the services.

service nginx restart
service httpd restart

Leave a Reply

Your email address will not be published. Required fields are marked *