cPanel domlogs/Webserver Access logs are showing only local server IP addresses

This happens when we have a reverse proxy Nginx->Apache set up on the server. To be precise, when the Apache based website is behind the reverse proxy(Nginx). In such cases, we may see the accessing IPs on the website access logs as server’s local IP address itself. This behavior is because the reverse proxy or load balancer acts as client to Apache and the Apache sees the internal IP address on its website access log. This doesn’t help an administrator to track down real client IP addresses that access from the outside world.

We can use mod_rpaf module in this case for the Apache.

My machine here is a Centos/cPanel system.

cd /root
wget https://github.com/y-ken/mod_rpaf/archive/master.zip
unzip master.zip

Now compile it

cd mod_rpaf-master/
apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c

Finally, add the module to install Mod_rpaf on cPanel

LoadModule rpaf_module modules/mod_rpaf-2.0.so
<IfModule mod_rpaf-2.0.c>
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 xx.xx.xx.xx
</IfModule>

Restart Apache to apply the changes:

service httpd restart

A good replacement for mod_rpaf is mod_remoteip which can be installed via Easyapache itself on the cPanel servers.