Any of you use Incapsula or a WAF? Big issue with WAF firewall IP and affiliate programs


New Member
I'm a happy KH customer and support has been great so far (although I've had a couple of not-so-great incidents from the support team). In any case, I trust my business to be hosted here at KH and look to have my business here at KH long term (i.e. many years). This is my first forum post and it is about an important issue I have with Incapsula' WAF, so I thought that posting my issue here would benefit others; here it goes.

I would like to use Incapsula on my sites because I am getting some heavy traffic to my sites and it is time to add another layer of protection with a WAF, and Incapsula's WAF looks like an excellent option. The problem? By using Incapsula, a visitor is "tagged" and logged in the server with the IP of the firewall (i.e. WAF) that the visitor must go through before visiting the site, meaning that even if you get thousands and thousands of real visitors (not just bots), they're all going to be having the temporary IP (or IP range) of the Incapsula firewall. And this is not good.

It is not good because some affiliate programs and Adsense (Google's advertising platform for us webmasters to make money via ads) will register all clicks on their advertising as though they're coming from the "same" IP. This means that there is a risk that the affiliate/Adsense sees you're committing "click fraud" and you'll be banned from the affiliate program. In fact, there have been quite a few bans in the past with CloudFlare (which offers a WAF like Incapsula), where many webmasters using Adsense where banned because of this "apparent" click fraud. Thus, CloudFlare developed a mod_cloudflare extension that returns the real IP of the visitor upon the visitor hitting the firewall and exiting it to visit a site. This is good, but Incapsula does NOT offer this. Incapsula have some outdated scripts from 2008 that don't even work or require a very technical background to use. Ergo, I would be kind of tied to this issue and risk several affiliate programs I am partnered with.

My question is, are any of you using (or have used) Incapsula? And if so, how have you gone about it? Do any of you use CloudFlare without the mod_cloudflare or have not used mod_cloudflare in the past while using CloudFlare? Did you find any changes in affiliate commissions or Adsense earnings? Were any of you banned or reported?

I have been researching for some days about this issue of having all your IPs being logged with the IP of the firewall, and it certainly points out to a risk with any affiliate or Adsense program being used.

I would appreciate any experience or input from fellow KH customers, webmasters and even the KH support team. As said, I thought of posting this question here because I am sure many fellow webmasters are using or will be using a WAF (e.g. Incapsula or CloudFlare) and may be running a risk if also being an affiliate partner or Adsense partner.

Looking forward to your replies!


P.S. Please also look at my post below with the "alternative" solution I was offered by Incapsula. I would really appreciate a reply on this solution by KH support, please.
This is what Incapsula's support has mentioned. Unfortunately, I don't know what to make of it, so I would appreciate if KH support team could comment on this and if this is a feasible option to implement in a VPS. I am interested in this solution not affecting my sites' performance as well as genuinely working because, otherwise and as said, I would be risking my affiliate partnerships, and this is absolutely NOT an option that I will tolerate (i.e. I need 100% assurance it will work and I'd appreciate a comment on this particular concern of mine by KH's support team).

Below is Incapsula's reply; please comment on this and it's feasibility as per my above concerns and requirements. Thanks. Also please let me know if you'd like me to take this to the support team itself too for further customized replies.
You can easily extract the original client IPs yourself. Incapsula inserts the original client IP address into two HTTP headers so it can be retrieved by the server for processing. The first is the standard HTTP header "X-Forwarded-For" and the second is an Incapsula header "Incap-Client-IP".

For example, configuring Apache to use the X-Forwarded-For instead of (or in conjunction with) the normal HTTP client header is pretty simple. Open your configuration file (usually in /etc/httpd/conf/) and find the section describing the log formats. Then add the following to the log format you want to modify, or create a new one that includes this to extract the X-Forwarded-For.