mod_cloudflare is installed on Digital Ocean Ubuntu/WordPress but real IPs are not appearing in the apache2 log files - can anyone help?
Here is what I sent to digital ocean support but they have no idea:
mod_cloudflare, although installed and enabled is not passing the correct IP addresses to my log files at all.
I am seeing a lot of IP addresses like: 22.214.171.124 which I know are not correct. My test method is to use 'curl' with long easily identifiable URLs that no regular visitor (or attacker) would be likely to visit and then check my log files. At the same time as my tests I'm getting bizare IP addresses that have nothing to do with the hosts I'm performing the tests from. Why is this happening?
mod_cloudflare is definitely installed on ubuntu 14.04 running apache2. I have never seen this bizarre behavior before.
How can I fix this? This is really critical. If cloudflare's security isn't going to block attacks I definitely need to know the real IP addresses so I can block them myself!
The strange, unrecognized IP addresses are often coming from Amazon data centers - I guess CloudFlare servers are often located in Amazon data centers?
Here what I'm getting when I verify that the cloudflare module is enabled:
root@www:/var/log/apache2# apache2ctl -M | grep cloud
I tried using tcpdump and waited
until I got lucky to catch a header. It looks like it works but I am not
getting legit IPs here... I guess I still have to ask CloudFlare?
User-Agent: Podcasts/1075.33 CFNetwork/758.1.6 Darwin/15.0.0 X-Middleton/1
That one looks like it has an IPv6 address??? I never saw IPv6 in my logs
but otherwise it looks right to me. I connected to "sniff" and I found one
with a regular IP and it also looks right. But somehow I am not getting
the correct IP addresses in my logs. How can this be?
X-Forwarded-For: 126.96.36.199, 188.8.131.52
In this second case it definitely appears to be correct because the user
agent is google bot and the IP is owned by google and infosniper.net
recognizes it as a google bot IP.
So what can be going on here? I just grepped my access log for the second
IP, 184.108.40.206 and it's nowhere to be found.
I repeated my test while running tcpdump. I can see my real IP in the
tcpdump. I can find the same request in the access log but it does NOT
have my real IP. How can this be?
www.mysite.com:80 220.127.116.11 - - [03/Dec/2015:22:05:44 +0200]
18.104.22.168 is definitely not my IP. It doesn't appear in any of the
cloudflare headers at all. It also deosn't appear anywhere in the packet
capture dump either.
Can anyone figure this one out?