X-Real-IP Header Support?

[Shyuan]

Hi there,

I am new to the http headers, kindly bear with me if I'm not using the right term to describe my request.

I know Litespeed support X-Forwarded-For, but not X-Real-IP. Wonder if you can add support for it? The ddos protection that I use only sends X-Real-IP and they refused to send X-Forwarded-For. I know you cannot do something for my sole benefit, but I'm just sending in this query. My WHM/cPanel all detect the proxy IP instead of client IP whenever there are bruteforce attacks (just one of the examples). I am not sure how complex it can be in order to implement it, but i wonder if this is something considerable? Or is there alternative way that could convert X-Real-IP into X-Forwarded-For so that my whole server would read the real client IP?

Thank you

 

[NiteWave]

Hi, the X-Real-IP should be in X-Forwarded-For, or part of X-Forwarded-For

to confirm this, you can create a phpinfo page and check
_SERVER["HTTP_X_FORWARDED_FOR"]

to let the value of X-Real-IP header seen by php script, you can add a rewrite rule in .htaccess
RewriteCond %{HTTP:X-Real-IP} ^(.*)$
RewriteRule (.*) - [E=X-REAL-IP:%1]

so in your phpinfo page, you can find
_SERVER["X-REAL-IP"]
is there.

compare the value of
_SERVER["HTTP_X_FORWARDED_FOR"]
_SERVER["X-REAL-IP"]

 

[Shyuan]

Hi, the X-Real-IP should be in X-Forwarded-For, or part of X-Forwarded-For

Hi NiteWave, I didn't know that, thanks for letting me know.

to confirm this, you can create a phpinfo page and check
_SERVER["HTTP_X_FORWARDED_FOR"]

to let the value of X-Real-IP header seen by php script, you can add a rewrite rule in .htaccess
RewriteCond %{HTTP:X-Real-IP} ^(.*)$
RewriteRule (.*) - [E=X-REAL-IP:%1]

so in your phpinfo page, you can find
_SERVER["X-REAL-IP"]
is there.

compare the value of
_SERVER["HTTP_X_FORWARDED_FOR"]
_SERVER["X-REAL-IP"]

Seems like this only applies to the application/script level instead of server level? Can you clarify? Thank you

 

[NiteWave]

for server level, can you give more details how to make use of such IPs?

here is one example: with above rewrite rule, you can log the x-real-ip in access log with following parameter:
%{X-REAL-IP}e

related apache document:
http://httpd.apache.org/docs/current/mod/mod_log_config.html

 

[Shyuan]

Hi NiteWave,

Here's a more detailed explanation with what I'm trying to do.

My server is installed with Litespeed and using cPanel/WHM.

So my proxy works this way: Visitors visit my site or bruteforce attack on certain ports (or even when I visit and login to my WHM/cPanel) > Traffic hit on Proxy IP > Traffic being sent to backend IP (i.e. my server)

I think the major issue I have is that, I whitelisted my DDoS Protection Proxy IPs in my CSF (in WHM) because my proxy IPs are in charged of forwarding traffic to my server. But, whenever there are bruteforce attacks, WHM login alerts and so on, it shows that my Proxy IPs were the attackers (because my server couldn't read the real visitor IP, instead it reads the Proxy IPs) and CSF is trying to blacklist these Proxy IPs, which actually creates a contradict situation because my proxy IPs are supposed to be whitelisted and the culprits' real IPs are supposed to be blacklisted. Besides, cPanel accounts (and its statistics script such as logaholic) all logged the proxy IP instead of visitor's real IP.

I turned on the "Use Client IP in Header" (which handles the x-forwarded-for), but it didn't help. So I consulted my DDOS provider, they told me they only send X-Real-IP and ask me to check with Litespeed whether you can have X-Real-IP implemented, hence here I was.

If this is not exactly Litespeed related, it would be great if you can point me to the right direction, thank you very much (also for the link)

 

[NiteWave]

much clear now ... another question: is the Proxy IP on your server or not ?
if Proxy IP not on your server, how can you block those X-Real-IPs ?

 

[Shyuan]

Hi NightWave,

I guess you raised a very good question!

Indeed the proxy IP is not on my server. And I see the point why you were asking that.

But shouldn't it be the case like below?

Traffic hit proxy IP at DDoS provider > DDoS provider forward the traffic and X-real-ip to my server > litespeed and cpanel/whm detect the x-real-ip > CSF block the x-real-ip (for being brute force for example). So the next time when the same x-real-ip hit my server again, my server will know this is a blacklisted x-real-ip. Or in another exanple, WHM should detect x-real-ip being the real IP that logged into whm.

 

[NiteWave]

should only server (proxy IP on it) at DDoS provider can block the X-Real-IPs

so the best WHM or litespeed can do is to provide the list of x-real-ip to proxy server(at DDos provider), then proxy server block these IPs.

is the DDoS provider cloudflare ?

I think apache don't support X-Real-IP (unless there is a apache module to implement it) directly as well.

I guess how WHM and DDoS provider can work together:
1)define a global access.log file in apache's httpd.conf, which contains time stamp and x-real-ip only
2)define a global file with rewrite rule
RewriteCond %{HTTP:X-Real-IP} ^(.*)$
RewriteRule (.*) - [E=X-REAL-IP:%1]
which is included into every virtual host
3)WHM scan this global access log, identify which IP should be blocked, and send the list to DDoS provider.