From 3844fddda8c4cf6edd79d2ed3272924bcb911529 Mon Sep 17 00:00:00 2001
From: Developer <dev@localhost>
Date: Mon, 20 Apr 2026 19:32:14 -0400
Subject: [PATCH] CRITICAL FIX: Access log selection - prefer HTTPS (-ssl_log)
 over HTTP

Most modern traffic is HTTPS. The script was only reading HTTP logs,
causing completely wrong traffic percentages. Now prioritizes:
1. domain-ssl_log (HTTPS) - where 95%+ of real traffic is
2. domain (HTTP) - fallback for older sites

This fixes backwards traffic analysis where low-traffic HTTPS sites
appeared as high-traffic and vice versa.
---
 lib/php-scanner.sh | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/lib/php-scanner.sh b/lib/php-scanner.sh
index be0e3ea..b760263 100755
--- a/lib/php-scanner.sh
+++ b/lib/php-scanner.sh
@@ -484,25 +484,38 @@ find_domain_access_log() {
     case "${SYS_CONTROL_PANEL:-unknown}" in
         cpanel)
             # cPanel standard locations for access logs
-            # Primary: /var/log/apache2/domlogs/DOMAIN (or DOMAIN-error_log, etc)
-            # Secondary: /home/USER/access-logs/ (symlink to above)
+            # CRITICAL: Must check HTTPS (ssl_log) first since that's where 95%+ of traffic is
+            # Format: /var/log/apache2/domlogs/DOMAIN-ssl_log (HTTPS) or DOMAIN (HTTP)
             local log_file
 
-            # Try standard cPanel domlogs directory FIRST (primary location)
-            log_file=$(find "/var/log/apache2/domlogs" -maxdepth 1 -type f -name "*${domain}*" 2>/dev/null | head -1)
+            # Try standard cPanel domlogs directory FIRST - PREFER SSL LOG (HTTPS)
+            # Most modern traffic is HTTPS, so -ssl_log has the real traffic data
+            if [ -f "/var/log/apache2/domlogs/${domain}-ssl_log" ]; then
+                log_file="/var/log/apache2/domlogs/${domain}-ssl_log"
+            elif [ -f "/var/log/apache2/domlogs/${domain}" ]; then
+                log_file="/var/log/apache2/domlogs/${domain}"
+            fi
 
             # If not found, try user's access-logs directory (symlink, follows)
             if [ -z "$log_file" ]; then
                 local owner
                 owner=$(find_domain_owner "$domain")
                 if [ -n "$owner" ] && [ -d "/home/${owner}/access-logs" ]; then
-                    log_file=$(find -L "/home/${owner}/access-logs" -maxdepth 1 -type f -name "*${domain}*" 2>/dev/null | head -1)
+                    if [ -f "/home/${owner}/access-logs/${domain}-ssl_log" ]; then
+                        log_file="/home/${owner}/access-logs/${domain}-ssl_log"
+                    elif [ -f "/home/${owner}/access-logs/${domain}" ]; then
+                        log_file="/home/${owner}/access-logs/${domain}"
+                    fi
                 fi
             fi
 
             # Try alternative cPanel path
             if [ -z "$log_file" ] && [ -d "/etc/apache2/logs/domlogs" ]; then
-                log_file=$(find "/etc/apache2/logs/domlogs" -maxdepth 1 -type f -name "*${domain}*" 2>/dev/null | head -1)
+                if [ -f "/etc/apache2/logs/domlogs/${domain}-ssl_log" ]; then
+                    log_file="/etc/apache2/logs/domlogs/${domain}-ssl_log"
+                elif [ -f "/etc/apache2/logs/domlogs/${domain}" ]; then
+                    log_file="/etc/apache2/logs/domlogs/${domain}"
+                fi
             fi
 
             echo "$log_file"