CloudFlare & WHM/cPanel Apache Server Firewall Conflict

JeffTechnical Articles & Notes

CloudFlare adds another level of security and resilience in front of our dedicated server. It’s an excellent idea and for basic use, it’s completely free. Fab.

However, there’s a problem.

Because all server traffic which is routed via CloudFlare effectively comes from CloudFlare, and because it’s imperative CloudFlare’s IP address ranges are never blocked (because one bad apple would spoil the bunch) they have to be white-listed in our server’s firewall.

The result is that any brute force attack managing to not be detected by CloudFlare can repeatedly, indefinitely, bash away without ever being blocked. Here’s a log entry of this happening:

Jun 28 11:34:52 server7 lfd[30520]: *Error*: csf output: deny failed: 141.101.88.219 is in the allow file /etc/csf/csf.allow

CloudFlare do send the originator’s IP address in the request headers in a header entitled CF-CONNECTING-IP, so all that’s required is to switch this value into the REMOTE_ADDR slot prior to Apache passing the header information to the rest of the server processes.

CloudFlare provide an Apache module for precisely this purpose. Their instructions to install it are at time of writing here:

https://support.cloudflare.com/hc/en-us/articles/206175737-How-do-I-restore-original-visitor-IP-with-EasyApache-cPanel-

Which says I need to install mod_cloudflare then re-compile Apache to include it in. Using this line:

bash <(curl -s https://raw.githubusercontent.com/cloudflare/mod_cloudflare/master/EasyApache/installer.sh)

This didn’t work on Centos 6.6 so instead I did:

curl -s https://raw.githubusercontent.com/cloudflare/mod_cloudflare/master/EasyApache/installer.sh > cfi.sh

Which downloads the module installer and places it in file cfi.sh.

I then ran that installer with:

sh cfi.sh

And then removed the install file (for tidyness):

rm cfi.sh

I then used EasyApache to rebuild Apache taking care to tick the cloudFlare module option box.

Hey presto. The server now sees the attacker’s IP address instead of CloudFlare’s and so is able to block it successfully when a security level is triggered.