ConfigServer Community Forum

I'm using Cloudflare, and dealing with attacks that LOOK like they're coming from Amazon / Cloudflare IPs. At 3:06pm today my server load went from 0.68 to 150 inside of 1 second :-O

When Cloudflare sends the IP, it shows up as X-Forwarded-For. I use Apache's mod_remoteip to change that to REMOTE_ADDR in Apache config, using:

RemoteIPHeader X-Forwarded-For

But I'm not whether CSF would see the real IP of the user. Does CSF run before Apache (in which case REMOTE_ADDR wouldn't have been modified), or after? If it runs after Apache, how do I get CSF to use X-Forwarded-For?

Update: At around 9pm I enabled CF_ENABLE via WHM by changing the value to "1"; that was an educated guess, the description didn't say HOW to enable it. I left the other values in the Cloudflare section at their default.

I noticed, though, that CSF refers to mod_cloudflare in this section, which has been deprecated. The recommended module to use now is mod_remoteip. I don't know if that's an issue for CSF?

I haven't had any major spikes since my last post, but I just looked at the sys-snap log from 11:30pm. At that time I had 730 active connections; 646 of the IPs belong to Amazon, and 81 belong to Cloudflare. The remaining 3 were legit users.