After setting up a new VPS with MyHosting I noticed in the logs all the IP addresses belonged to CloudFlare. This is of course because CloudFlare proxies all the requests to speed up the site with it’s CDN. This is of little use when it comes to tracking down any malicious activity. Luckily there is an Apache module that restores the correct IP address to the log file. I’ll outline the process for getting the Apache module setup on the CentOS VPS.
This guide outlines the process, but the MyHosting VPS needed a few extra steps. Namely a few extra packages needed to compile the module from source. To compile an Apache module the axps command is used. This isn’t normally included in a normal CentOS installation, also gcc is needed and again isn’t included by default. To install these two open an ssh session as root and use yum.
# yum install httpd-devel gcc
There will be a few dependices to install as well, after these are installed. You’ll need to download the source code of the module to compile it for your system. In your home directory simply use wget like this.
# wget https://raw.github.com/cloudflare/mod_cloudflare/master/mod_cloudflare.c
Next is to compile the module itself using this command.
# apxs2 -a -i -c mod_cloudflare.c
This should finish and should add the LoadModule command to the config file for Apache. Verify this is so by looking for this line.
LoadModule cloudflare_module /path/to/modules/mod_cloudflare.so
After all of these are done, simply restart Apache.
# service restart httpd
Now verify that the module is working by visiting the site, then looking at the end of the access.log file to see that the IP belongs to your public IP and not to CloudFlare’s network.