Hey there! Can you ensure you have mod_remoteip installed on the server? More details on that can be found here: https://support.cpanel.net/hc/en-us/articles/360051107513-Restoring-visitors-IP-with-mod-remoteip
I had ea-apache24-mod_remoteip installed.
But over /etc/apache2/conf.modules.d/370_mod_remoteip.conf I only had RemoteIPHeader CF-Connecting-IP block.
So I added
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy server-main-public-ip
After the CF-Connecting-IP block.
Should that be okay?
I had %h replaced with %a over one log but not the other. I have now fixed the other one.
Restarted Apache.
I have not got any new hit to mod sec yet. So I'll check the hit list later.
Thanks for your quick support!
Btw, I was expecting installing cpanel official nginx will auto take care of the proxy logging issue.
But over /etc/apache2/conf.modules.d/370_mod_remoteip.conf I only had RemoteIPHeader CF-Connecting-IP block.
So I added
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy server-main-public-ip
After the CF-Connecting-IP block.
Should that be okay?
I had %h replaced with %a over one log but not the other. I have now fixed the other one.
Restarted Apache.
I have not got any new hit to mod sec yet. So I'll check the hit list later.
Thanks for your quick support!
Btw, I was expecting installing cpanel official nginx will auto take care of the proxy logging issue.
It should - when you install Nginx through the cPanel tools, we do also install mod_remoteip. That is noted here:
NGINX with Reverse Proxy | cPanel & WHM Documentation
This document explains how to install NGINX with Reverse Proxy on a server that runs cPanel & WHM and EasyApache 4.
docs.cpanel.net
I've never had a need to customize the remoteip config file, so I'm not 100% sure if the details you outlined would work or not. If you're still seeing issues after you've received some more ModSec hits, please open a ticket with our support team and we'll be happy to investigate!
After much digging, our team found that unique requests coming into the server are working properly, but that the site is making many requests to itself, causing confusion in the logs.
