Set up X-Forwarded-For in cPanel/WHM

You are here:
Estimated reading time: 1 min
This configuration is only required if you’re using DNAT redirection mode for the WAF module.

If you are using cPanel/WHM please make sure to open/allow the 60418 port on TCP on your server and on the firewall in front of it (if there is one). It is required for the CaptchaHTTPS service.

This header needs to be set up in your web server used to serve your domains.

Please insert your server’s IP addresses in the place of “INSERT YOUR IP ADDRESS(ES) HERE“.

What web server do you use?

I use Apache

The WAF module requires the remoteip_module.

Please make sure it is installed on the server.
In Apache, you can check if the remoteip_module is installed with the apachectl -M |grep remoteip command.

Go to:

  1. Home
  2. Service Configuration
  3. Apache Configuration
  4. Include Editor
  5. Pre Main Include ( Here choose All version )
  6. Please enter the following text into the text field
<IfModule remoteip_module>
    RemoteIPHeader X-Forwarded-For
  1. Set the LogFormat (combined) under “Global Configurations” to
    %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"
  2. Then save the changes and restart Apache
Apache X-Forwarded-For header:
In case of multiple IP addresses separate the IPs with space. e.g.:

I use LiteSpeed

Please go to the LiteSpeed Configuration menu and select the Server and select General. In General / Settings menu you can see Use Client IP in Header.
Here select Trusted IP Only.

You can add the IP address(es) of your server under General tab under Security at Access Control at the Allowed list.
You just need to add your server’s IP addresses separated with space.
You can check out the syntax here:

Entering “ALL“ into the allowed list is not sufficient.

If your server has an IP range or IP ranges you can add the range to the Allowed list and add “T” after. e.g.:
If the server’s IP addresses are not within one range you need to add the IP addresses one-by-one separated with a comma(,).
If you need to add multiple IP ranges you can do that the same way, separating the ranges with commas(,).

Change the Logformat setting under the General tab/ Log tab to look like this:

%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

After this is done save the changes and restart Litespeed.

I Use Nginx

  1. Open the Engintron plugin in WHM (if you are not using any ControlPanel, skip to step 2)
  2. Click on the Edit nginx.conf
  3. Insert the following codes before the real_ip_header X-Forwarded-For line:
real_ip_header    X-Forwarded-For;
real_ip_recursive on;
Eg trusted ips:
set_real_ip_from <INSERT YOUR IP ADDRESS(ES) HERE>;
  1. Please also check the logformat in the file if it looks like this:
%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  1. After this Save the changes and restart Nginx
If You use a Reverse proxy
Set up the X-Forwarded-For header in your reverse proxy too if you use one.
If you use a reverse proxy in front of your web server then setting up the X-Forwarded_for header only in the web server is not sufficient.

Enable the WAF module

You can enable the module from the Dashboard/ Servers by clicking on the cogwheel next to the server’s name. You just need to click on the switch icon next to the WAF 2.0 module.

WAF Rules

You can reach the WAF rules by clicking on the Firewall menu point at the top and then selecting the Web Application Firewall menu point.
Let’s test WAF

You can test if the WAF module is working if you add /?test=/etc/passwd after one of the domains hosted on the server. e.g.: It will trigger the WAF module.

You can also test the module by following this guide.

Was this article helpful?
It was not helpful
Views: 2604