If your cPanel server is configured with Apache + nginx as reverse proxy then the Apache access_log will not show the real IP address ( visitor’s IP address ), instead it shows server IP address. Due to this we cannot block the IPs that causing bruteforce attack. or we can’t determine the IP address that consuming high bandwidth.
Here I will explain how we can enable real IP login. For this, the installed Apache should need mod_remoteip or mod_rpaf module, here I will use mod_remoteip.
To install the mod_remoteip module please refer the link https://documentation.cpanel.net/display/EA/Custom+Modules
After the module installation, make sure that all the server IP address is listed in remoteip.conf and the format is as follows
/usr/local/apache/conf/includes/remoteip.conf
LoadModule remoteip_module modules/mod_remoteip.so
#Mod_remoteip settings
RemoteIPHeader X-Real-IP
#RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
RemoteIPInternalProxy ………repeat it for all the IPs in the server
and then add ” real_ip_recursive on; ” at the end of /etc/nginx/proxy.inc file
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
after that directly edit following files.
sed -i.original -e ‘s/\(logformat.*\)%h\(.*\)/\1%a\2/’ /var/cpanel/conf/apache/main
sed -i.original -e ‘s/\(.*\)%h \(.* combinedvhost.*\)/\1%a \2/’ /usr/local/cpanel/Cpanel/AdvConfig/apache.pm
This will ensure that %h is replaced with %a for the combinedvhost LogFormat entry (in addition to the other LogFormat entries) in httpd.conf
This will get overwritten after a upcp, so you may want to put these instructions in a script and add that script to /usr/local/cpanel/scripts/postupcp
Finally rebuild and restart the services.
/scripts/rebuildhttpdconf
/scripts/rebuildvhosts
service nginx restart
service httpd restart
