Easiest way to install mod_cloudflare on latest CPanel since it's not available in EA?

quanin

• April 16, 2020 06:35

Or, more appropriately, are there plans to include mod_cloudflare in EA4? Assuming the answer is no, what is a non-headache-inducing way to install mod_cloudflare on a CPanel server? I'm not a hosting partner, so CF's official plugin is out since I doubt they'll approve me. Suggestions are appreciated, up to and including something I have yet to find on Google (I'm just getting off a 10-hour shift).

• 

  cPanelLauren

  • April 16, 2020 21:05

  Hello @quanin The simple answer to this is that you don't, mod_cloudflare is not even supported by CloudFlare at this point. What you should use is mod_remoteip which is also what CloudFlare Suggests: [QUOTE=https://support.cloudflare.com/hc/en-us/articles/200170916-Restoring-original-visitor-IPs-Option-1-Installing-mod-cloudflare]Cloudflare no longer updates and supports mod_cloudflare, starting with versions Debian 9 *and *Ubuntu 18.04 LTS of the Linux operating system. We now support download the codebase from GitHub.
  mod_remoteip is available in the EA repository as well: Name : ea-apache24-mod_remoteip Arch : x86_64 Version : 2.4.43 Release : 1.1.1.cpanel Size : 41 k Repo : EA4/7/x86_64 Summary : IP replacement module for the Apache HTTP Server URL : http://httpd.apache.org/ License : ASL 2.0 Description : The mod_remoteip module is used to treat the useragent which initiated : the request as the originating useragent as identified by httpd for : the purposes of authorization and logging, even where that useragent : is behind a load balancer, front end server, or proxy server. : : The module overrides the client IP address for the connection with the : useragent IP address reported in the request header configured with : the RemoteIPHeader directive. : : Once replaced as instructed, this overridden useragent IP address is : then used for the mod_authz_host Require ip feature, is reported by : mod_status, and is recorded by mod_log_config %a and core %a format : strings. The underlying client IP of the connection is available in : the %{c}a format string.
  

  0
• 

  ffeingol

  • April 16, 2020 21:13

  @cPanelLauren but isn't mod_remoteip going to be difficult to setup in cPanel? You have to change the LogFormat statement? Having said the above, it's getting more and more difficult to use CloudFlare on cPanel servers. Besides depreciating mod_cloudflare, they are using the cPanel API V1 for their cPanel plugin. When we opened a ticket with them, we were told that the plugin is also no longer being supported.

  0
• 

  cPanelLauren

  • April 16, 2020 22:17

  The plugin isn't supported anymore, no, which is a bummer as I know a lot of people used it, that wasn't our decision though, it was theirs. As far as enabling mod_remoteip for CloudFlare the instructions are indeed different than what they provide. I do miss the ease of their instructions for mod_cloudflare. So, I believe the following should work (only including relevant steps): [QUOTE]1. Update the site configuration to include RemoteIPHeader CF-Connecting-IP
  Using Modify Apache Virtual Hosts with Include Files | cPanel & WHM Documentation Apply to all virtual hosts on the system

  • With and without SSL - /etc/apache2/conf.d/userdata/includename.conf

  Alternatively you could modify the includes here:

  • With SSL
    • /etc/apache2/conf.d/userdata/ssl/2_4/includename.conf
    • /etc/apache2/conf.d/userdata/ssl/includename.conf
  • Without SSL
    • /etc/apache2/conf.d/userdata/std/2_4/includename.conf
    • /etc/apache2/conf.d/userdata/std/includename.conf

  You'll add the following line: RemoteIPHeader CF-Connecting-IP
  

  • After you create or edit an Apache include userdata file, you must rebuild the httpd.conf file and restart Apache for the changes to take effect.
    • To rebuild the httpd.conf file, run the following script:/usr/local/cpanel/scripts/rebuildhttpdconf
      
    • To restart Apache, run the following script:/usr/local/cpanel/scripts/restartsrv_httpd
      

  [QUOTE]2. Update combined LogFormat entry
  

  • This can be done at WHM>>Service Configuration>>Apache Configuration>>Global Configuration:
    • LogFormat (combined)
      • Default is: %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
        
    • LogFormat (common)
      • Default is: %h %l %u %t \"%r\" %>s %b
        
  • Note that all you're going to do is replace %h
    with %a
    so it should look like the following:
    • LogFormat (combined)%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
      
    • LogFormat (common)%a %l %u %t \"%r\" %>s %b
      
  • Ensure you click the checkbox for the customized version then click Save at the bottom of the page
  • A prompt will appear telling you what's been saved, confirm everything is as it should be
  • Select Rebuild Configuration and Restart Apache at the bottom of the page

  [QUOTE]3. Define trusted proxy addresses
  

  • This can be done through WHM>>Service Configuration>>Apache Configuration>>Include Editor -> Pre Main Include
  • Select All Versions
  • Add the following: RemoteIPHeader CF-Connecting-IP RemoteIPTrustedProxy 173.245.48.0/20 RemoteIPTrustedProxy 103.21.244.0/22 RemoteIPTrustedProxy 103.22.200.0/22 RemoteIPTrustedProxy 103.31.4.0/22 RemoteIPTrustedProxy 141.101.64.0/18 RemoteIPTrustedProxy 108.162.192.0/18 RemoteIPTrustedProxy 190.93.240.0/20 RemoteIPTrustedProxy 188.114.96.0/20 RemoteIPTrustedProxy 197.234.240.0/22 RemoteIPTrustedProxy 198.41.128.0/17 RemoteIPTrustedProxy 162.158.0.0/15 RemoteIPTrustedProxy 104.16.0.0/12 RemoteIPTrustedProxy 172.64.0.0/13 RemoteIPTrustedProxy 131.0.72.0/22 RemoteIPTrustedProxy 2400:cb00::/32 RemoteIPTrustedProxy 2606:4700::/32 RemoteIPTrustedProxy 2803:f800::/32 RemoteIPTrustedProxy 2405:b500::/32 RemoteIPTrustedProxy 2405:8100::/32 RemoteIPTrustedProxy 2a06:98c0::/29 RemoteIPTrustedProxy 2c0f:f248::/32
    
  • Click Update
  • Click Restart Apache

  And that should be it! I tried to keep you off the command line as much as I could and make this as straight forward as possible. Let me know if there are any issues with this though.

  0
• 

  ffeingol

  • April 16, 2020 23:32

  As I said, it's going to be a pain to setup :) I did not mean to imply that cPanel was involved in any way with these decisions. I was just trying to point out that without mod_cloudflare and the cPanel modules, it's more difficult for most hosts to easily deal with CloudFlare.

  0
• 

  quanin

  • April 17, 2020 01:55

  @cPanelLauren, thanks for the instructions. Command line usage doesn't really bother me (I actually prefer that), but I've learned over the years that if I can do it in WHM I'll have less of an excuse to drink later when CPanel decides to argue with me. I was more asking about some kind of CF specific module/plugin because, as @ffeingol points out, Cloudflare and CPanel are a wee bit of a trick to get to play nicely together. Mostly in terms of making sure I catch all the subdomains etc CPanel creates when I put something new on the server. I suppose worst case if I want a domain on Cloudflare I can cheat and use another DNS service first (either my provider's, or the local DNS server), so CF pulls in all the relevant junk properly, but I was mostly looking for a way not to have to. Lazy sysadmin is lazy.

  0
• 

  cPanelLauren

  • April 17, 2020 14:01

  As I said, it's going to be a pain to setup :) I did not mean to imply that cPanel was involved in any way with these decisions. I was just trying to point out that without mod_cloudflare and the cPanel modules, it's more difficult for most hosts to easily deal with CloudFlare.

  
  Yea it's a bit more difficult but not more steps than they list on their site if that's any consolation. It took me about 45 minutes to set up but most of that time was formatting the text in what I was writing out for you guys here. If I had to set it up just by itself without writing instructions, I think it wouldn't have taken maybe max 10 minutes. With these instructions, I am hoping anyone that uses them will take less. @quanin this is the only supported method. You can still use mod_cloudflare but the instructions I provided should be everything you need to do with mod_remoteip, I went along as I was writing and enabled all this on my own server and can confirm its a good solution

  0
• 

  ffeingol

  • April 17, 2020 14:26

  And just a side note that the list of CloudFlare IP's is not 'fixed', so you'll want to check IP Ranges | Cloudflare every once in a while to insure your list matches their list.

  0
• 

  cPanelLauren

  • April 17, 2020 15:44

  And just a side note that the list of CloudFlare IP's is not 'fixed', so you'll want to check

  0
• 

  quanin

  • April 17, 2020 16:53

  @cPanelLauren Oh, I gathered that much. And yes, your instructions are perfect--any chance we can get this included in the docs? What I was semi-complaining about is for new domains. Create domain on CPanel, create domain in Cloudflare, point DNS to Cloudflare won't work quite as nicely as I'd like due to all the extra cruft CPanel adds as subdomains that need to be migrated over as well. Just adds an extra step for me is all, but for new projects that's all of about 5 seconds plus propagation time. I'd rather avoid it, but what can ya do?

  0
• 

  cPanelLauren

  • April 17, 2020 17:41

  @cPanelLauren Oh, I gathered that much. And yes, your instructions are perfect--any chance we can get this included in the docs? What I was semi-complaining about is for new domains. Create domain on CPanel, create domain in Cloudflare, point DNS to Cloudflare won't work quite as nicely as I'd like due to all the extra cruft CPanel adds as subdomains that need to be migrated over as well. Just adds an extra step for me is all, but for new projects that's all of about 5 seconds plus propagation time. I'd rather avoid it, but what can ya do?

  
  Well from what I found, as far as create a domain in cloudflare it pulls all the domain information in the DNS zone into the CloudFlare UI - For example, when I was testing this for you yesterday: Keep in mind I removed all my domain and IP related information in this screenshot - this was definitely a newly created domain/account as I just bought it the other day to have a domain registered with google domains so I could familiarize myself with their interface

  And yes, your instructions are perfect--any chance we can get this included in the docs?

  
  I was going to request that we add it to our support docs at cPanel but it may be something I add to a new forum I'm adding here soon with community based how-to articles :)

  0
• 

  quanin

  • April 17, 2020 17:54

  Ah. So you did the step I was trying to avoid. Register the domain, park it with a DNS server that's fed by CPanel (or the CNS server local to CPanel), create the domain inside CPanel, then migrate DNS over to Cloudflare. I'd ideally like to cut out that middle step. Create the domain within CPanel, set it up in Cloudflare's DNS, and have it just... work. No Google Domains or other DNS service required.

  0
• 

  cPanelLauren

  • April 17, 2020 19:06

  Ah. So you did the step I was trying to avoid. Register the domain, park it with a DNS server that's fed by CPanel (or the CNS server local to CPanel), create the domain inside CPanel, then migrate DNS over to Cloudflare. I'd ideally like to cut out that middle step. Create the domain within CPanel, set it up in Cloudflare's DNS, and have it just... work. No Google Domains or other DNS service required.

  
  Well, I had to register the domain, I'm not sure what you mean? I didn't need a 3rd party service, I just happened to have registered the domain with google because I'd wanted a domain with them (the purpose of that was so that I could accurately tell you guys how to navigate in there when asked). I just included that information so it was clear I used a new domain that hadn't been added to cPanel yet. The steps relevant to this were: - Point NS for domain to my cPanel server - Create account for the domain in cPanel - Wait a bit for propagation - Add domain to CloudFlare - Update NS for domain to CloudFlare's NS If the domain had existed prior in cPanel it would have been a bit faster: -Add domain to CloudFlare -Point NS to CloudFlare's NS Now, what was really nice about the CloudFlare plugin is that you didn't need to do any of that, it just added a CNAME record. I Found that CloudFlare does have a domain registrar Cloudflare Registrar | Domain Transfer | Cloudflare but I don't know if that will make things any easier as I haven't used it at all.

  0
• 

  quanin

  • April 17, 2020 19:28

  The short answer is no. The functionality you were describing from the Cloudflare plugin is close to what I was looking for--where it basically did all the actual moving things around for you. I mean, I had no problem changing my DNS settings, but if Cloudflare didn't scan my already existing DNS and pull in all the subdomains CPanel adds, I'd have probably missed something. also and because the question was implied, Cloudflare's registrar would be no help there at all. You apparently can't actually change your DNS info with them. It's either Cloudflare's DNS or nothing.

  0
• 

  cPanelLauren

  • April 17, 2020 20:15

  That link seems to just be someone confused about how to go back to using their registrar's DNS which is super easy for most providers. You don't need CloudFlare at all to do that. It didn't look like they had their domain registered with CloudFlare at all though.

  0
• 

  quanin

  • April 17, 2020 20:22

  The answer was in one of the replies to that question. I don't think the OP was all too clear what he wanted.

  0
• 

  piyushmaheswari

  • May 26, 2020 14:21

  The answer was in one of the replies to that question. I don't think the OP was all too clear what he wanted.

  
  Sir should I need Host API Key For this ? and Did it Support with LiteSpeed ? I have these on my server :- CPanel ( dedicated server ) CloudLinux LiteSpeed Imunify360 Config Server Firewall

  0
• 

  piyushmaheswari

  • May 26, 2020 14:38

  Sir please reply on this thread -

  0
• 

  thewebexpert

  • May 27, 2020 01:03

  The plugin isn't supported anymore, no, which is a bummer as I know a lot of people used it, that wasn't our decision though, it was theirs. As far as enabling mod_remoteip for CloudFlare the instructions are indeed different than what they provide. I do miss the ease of their instructions for mod_cloudflare. So, I believe the following should work (only including relevant steps): Using s %b \"%{Referer}i\" \"%{User-Agent}i\"
  

  LogFormat (common)

  • Default is: %h %l %u %t \"%r\" %>s %b
    

  Note that all you're going to do is replace %h
  with %a
  so it should look like the following:

  • LogFormat (combined)%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
    
  • LogFormat (common)%a %l %u %t \"%r\" %>s %b
    

  Ensure you click the checkbox for the customized version then click Save at the bottom of the page

  A prompt will appear telling you what's been saved, confirm everything is as it should be

  Select Rebuild Configuration and Restart Apache at the bottom of the page

  • This can be done through WHM>>Service Configuration>>Apache Configuration>>Include Editor -> Pre Main Include
  • Select All Versions
  • Add the following: RemoteIPHeader CF-Connecting-IP RemoteIPTrustedProxy 173.245.48.0/20 RemoteIPTrustedProxy 103.21.244.0/22 RemoteIPTrustedProxy 103.22.200.0/22 RemoteIPTrustedProxy 103.31.4.0/22 RemoteIPTrustedProxy 141.101.64.0/18 RemoteIPTrustedProxy 108.162.192.0/18 RemoteIPTrustedProxy 190.93.240.0/20 RemoteIPTrustedProxy 188.114.96.0/20 RemoteIPTrustedProxy 197.234.240.0/22 RemoteIPTrustedProxy 198.41.128.0/17 RemoteIPTrustedProxy 162.158.0.0/15 RemoteIPTrustedProxy 104.16.0.0/12 RemoteIPTrustedProxy 172.64.0.0/13 RemoteIPTrustedProxy 131.0.72.0/22 RemoteIPTrustedProxy 2400:cb00::/32 RemoteIPTrustedProxy 2606:4700::/32 RemoteIPTrustedProxy 2803:f800::/32 RemoteIPTrustedProxy 2405:b500::/32 RemoteIPTrustedProxy 2405:8100::/32 RemoteIPTrustedProxy 2a06:98c0::/29 RemoteIPTrustedProxy 2c0f:f248::/32
    
  • Click Update
  • Click Restart Apache

  And that should be it! I tried to keep you off the command line as much as I could and make this as straight forward as possible. Let me know if there are any issues with this though.

  
  THANK YOU SO MUCH!!!!

  0
• 

  piyushmaheswari

  • May 27, 2020 05:10

  The plugin isn't supported anymore, no, which is a bummer as I know a lot of people used it, that wasn't our decision though, it was theirs. As far as enabling mod_remoteip for CloudFlare the instructions are indeed different than what they provide. I do miss the ease of their instructions for mod_cloudflare. So, I believe the following should work (only including relevant steps): Using s %b \"%{Referer}i\" \"%{User-Agent}i\"
  

  LogFormat (common)

  • Default is: %h %l %u %t \"%r\" %>s %b
    

  Note that all you're going to do is replace %h
  with %a
  so it should look like the following:

  • LogFormat (combined)%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
    
  • LogFormat (common)%a %l %u %t \"%r\" %>s %b
    

  Ensure you click the checkbox for the customized version then click Save at the bottom of the page

  A prompt will appear telling you what's been saved, confirm everything is as it should be

  Select Rebuild Configuration and Restart Apache at the bottom of the page

  • This can be done through WHM>>Service Configuration>>Apache Configuration>>Include Editor -> Pre Main Include
  • Select All Versions
  • Add the following: RemoteIPHeader CF-Connecting-IP RemoteIPTrustedProxy 173.245.48.0/20 RemoteIPTrustedProxy 103.21.244.0/22 RemoteIPTrustedProxy 103.22.200.0/22 RemoteIPTrustedProxy 103.31.4.0/22 RemoteIPTrustedProxy 141.101.64.0/18 RemoteIPTrustedProxy 108.162.192.0/18 RemoteIPTrustedProxy 190.93.240.0/20 RemoteIPTrustedProxy 188.114.96.0/20 RemoteIPTrustedProxy 197.234.240.0/22 RemoteIPTrustedProxy 198.41.128.0/17 RemoteIPTrustedProxy 162.158.0.0/15 RemoteIPTrustedProxy 104.16.0.0/12 RemoteIPTrustedProxy 172.64.0.0/13 RemoteIPTrustedProxy 131.0.72.0/22 RemoteIPTrustedProxy 2400:cb00::/32 RemoteIPTrustedProxy 2606:4700::/32 RemoteIPTrustedProxy 2803:f800::/32 RemoteIPTrustedProxy 2405:b500::/32 RemoteIPTrustedProxy 2405:8100::/32 RemoteIPTrustedProxy 2a06:98c0::/29 RemoteIPTrustedProxy 2c0f:f248::/32
    
  • Click Update
  • Click Restart Apache

  And that should be it! I tried to keep you off the command line as much as I could and make this as straight forward as possible. Let me know if there are any issues with this though.

  
  I want to add CloudFlare option in CPanel, if I follow these steps then will it add CloudFlare option in CPanel ? Or do I need to do something more ?

  0
• 

  piyushmaheswari

  • May 27, 2020 05:27

  Please help, I am facing this error IThe "/usr/sbin/httpd -DSSL -t -f /etc/apache2/conf/httpd.conf -C Include "/etc/apache2/conf.modules.d/*.conf"" command (process 3495919) reported error number 1 when it ended. Configuration problem detected on line 1 of file /etc/apache2/conf.d/userdata/includename.conf: Invalid command 'RemoteIPHeader', perhaps misspelled or defined by a module not included in the server configuration --- /etc/apache2/conf.d/userdata/includename.conf --- 1 ===> RemoteIPHeader CF-Connecting-IP <=== --- /etc/apache2/conf.d/userdata/includename.conf ---

  0
• 

  cPanelLauren

  • May 28, 2020 04:00

  I want to add CloudFlare option in CPanel, if I follow these steps then will it add CloudFlare option in CPanel ? Or do I need to do something more ?

  
  None of this will give you the plugin for CloudFlare - as stated throughout the thread this is for mod_remoteip in place of mod_remoteip

  0
• 

  cPanelLauren

  • May 28, 2020 04:01

  Please help, I am facing this error IThe "/usr/sbin/httpd -DSSL -t -f /etc/apache2/conf/httpd.conf -C Include "/etc/apache2/conf.modules.d/*.conf"" command (process 3495919) reported error number 1 when it ended. Configuration problem detected on line 1 of file /etc/apache2/conf.d/userdata/includename.conf: Invalid command 'RemoteIPHeader', perhaps misspelled or defined by a module not included in the server configuration --- /etc/apache2/conf.d/userdata/includename.conf --- 1 ===> RemoteIPHeader CF-Connecting-IP <=== --- /etc/apache2/conf.d/userdata/includename.conf ---

  
  This looks like you didn't put it in the right include. Why is this coming up as an error for the /etc/apache2/conf.d/userdata/includename.conf and not the specific conf file noted in the instructions?

  0

Please sign in to leave a comment.