Resolved Plesk Panel Log and Cloudflare - log doesn't show Real IP

[Katog Choling]

Server operating system version

Ubuntu 22.04.3 LTS

Plesk version and microupdate number

Plesk Obsidian 18.0.55.0

Using Cloudflare (free tier), my plesk.log doesn't show the real IP address. I've successfully configured the real IP logging for Nginx and Apache using the information here, which is working fine for the nginx and apache logs etc. However, it doesn't seem to have any effect on the plesk.log which only shows the Cloudflare IP.

The reason this is a problem is that a nefarious source is attempting to log into the panel every 11 minutes and I'd like to block the IP - but it's only showing the Cloudflare address:

panel.log

...
[2023-09-06 14:58:59.533] 73515:64f893b382232 ERR [panel] Somebody tries to use the secret key for API RPC "36" from "162.158.38.254"
[2023-09-06 14:58:59.563] 73515:64f893b382232 ERR [extension/rest-api] [Action Log] Failed login attempt with login '<invalid>' from IP 162.158.38.254
[2023-09-06 15:09:56.988] 73655:64f89644f1287 ERR [panel] Somebody tries to use the secret key for API RPC "36" from "162.158.230.2"
[2023-09-06 15:09:57.024] 73655:64f89644f1287 ERR [extension/rest-api] [Action Log] Failed login attempt with login '<invalid>' from IP 162.158.230.2
[2023-09-06 15:20:51.101] 73845:64f898d318924 ERR [panel] Somebody tries to use the secret key for API RPC "36" from "162.158.38.254"
[2023-09-06 15:20:51.129] 73845:64f898d318924 ERR [extension/rest-api] [Action Log] Failed login attempt with login '<invalid>' from IP 162.158.38.254
[2023-09-06 15:31:36.396] 74038:64f89b5860b89 ERR [panel] Somebody tries to use the secret key for API RPC "36" from "162.158.38.254"
[2023-09-06 15:31:36.430] 74038:64f89b5860b89 ERR [extension/rest-api] [Action Log] Failed login attempt with login '<invalid>' from IP 162.158.38.254

Is there a way to get the plesk.log to record the real IP?
Is there another way to find the real IP?
How can I block this?

 

[Kaspar]

Are you using CloudFlare proxy for the host name of your server?

 

[Katog Choling]

Are you using CloudFlare proxy for the host name of your server?

Yes. I suppose I could turn off the proxy temporarily. I don't really like doing that though.

 

[Kaspar]

Yes. [...]

There is your problem. It's a bad idea because it causes a bunch of issues. IP address recognition being one of them.

 

[Katog Choling]

Yes, I'm aware that the Cloudflare proxy rewrites the origin IP address and specifies the client's IP address in an additional HTTP header. How do I configure Plesk so that the Plesk panel.log records the origin address - just like we can do for the apache and nginx logs?

 

[Katog Choling]

In the panel.ini file I see entries for:

[panel]	realIpFrom	127.0.0.1
[panel]	realIpHeader	X-Forwarded-For
[log]	show.source	false

Could changing any of these help? Or some other setting in the panel.ini file?

 

[Peter Debik]

As currently sw-cp-server does not include realip module, use one of the solutions below:

1. Use a custom domain name (or a hostname) with a 443 port for Plesk access: Administrator's Guide: Customizing Plesk URL.
   In this case, the frontend nginx that includes realip module handles the request. The official solution provided by Cloudflare may be used in this case: Couldflare: Restoring original visitor IPs
2. Use a custom domain name or a subdomain, for example, https://plesk.hostname without Cloudflare as the entry point to Plesk. In this case, there will be no CDN in front of Plesk.
3. Configure Plesk to trust Cloudflare.
   Currently, there is a [restriction when Plesk does not allow IP ranges in the configuration. Such behavior is known as the Plesk bug with ID #PPP-52375, which is planned to be fixed in future Plesk updates.
   However, it is possible to use some particular IP addresses. The lines like the below may be added to the panel.ini file. Add them using the Panel.ini Editor extension or by modifying the /usr/local/psa/admin/conf/panel.ini directly on the server:
   [panel]
   realIpFrom = 127.0.0.1, <CloudflareIP1>, <CloudflareIP2>

 

[Katog Choling]

#1 seemed the perfect solution for me. I then blocked port 8443 in the OS firewall and all seems good.

Thanks Peter.