View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Setup Apache server to get Original Client IP from Node Balanacer
Log in to Ask a Question

Setup Apache server to get Original Client IP from Node Balanacer

apache centos nodebalancer

Hello Guys,

I am using apache server behind the Load Balancer and i want to get Original CLient Ip instead of Node Balancer IP.

I installed mod_rpaf module from below link on apache server.

https://github.com/gnif/mod_rpaf

I am using below configuration you can see.

ago Hello,

Thanks for your update.

But in all of the link, we have the same thing which I have applied already.

let me explain you my scenario.

I am using Apache 2.4 and i have installed the mod_rpaf module on the server and this is installed properly as below is the module details you can see.

[root@server httpd]# httpd -M | grep rpaf

rpaf_module (shared)

So the same below is the configuration file.

RPAF_Enable On

RPAF_ProxyIPs 192.168.255.57 96.126.119.115

RPAF_Header X-Forwarded-For

RPAF_SetHostName On

RPAF_SetHTTPS On

RPAF_SetPort On

In this i have used IP of NodeBalancer and IP which i am getting in access log it may be load balancer private IP in the field " RPAF_ProxyIPs "

In httpd.conf file i am using below LogFormat

LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " combine

LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined-forwarded

I have defined below in httpd.conf as well.

RemoteIPHeader X-Forwarded-For

–-

After all this, in my virtualHost configuration file, I used below to get the IP in access logs.

CustomLog "logs/sslmcaprotoolsaccess_log" combined-forwarded

But i am not getting client's actual IP as you can see below from access log.

192.168.255.57 - - [30/Sep/2017:02:46:49 -0400] "GET /team6fig/?s1=Maaron95 HTTP/1.0" 200 107763 "https://website.com/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

–------

It looks like i need to setup Proxy in httpd.conf so can anybody give me configuration block for the same as this is written in below link "https://www.linode.com/docs/platform/no … for-header">https://www.linode.com/docs/platform/nodebalancer/nodebalancer-reference-guide#x-forwarded-for-header"

Will be waiting for resolution on this.

Thanks

Nitesh

15 Replies

In CentOS it is pretty easy to do. Here what I've done:

In apache, load the remoteip module and configure the correct header (X-Forwarded-For in my case). All can be done in a single config file:

/etc/httpd/conf.d/remoteip.conf

LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 192.168.0.0/16

change the proxy IP address to be whatever is the netmask/network or single IP of your haproxy or loadbalancer.

Hello,

I disabled the modrpaf module on the server and enabled the modremoteip module

Check below.

[root@mcaserver1 conf.d]# httpd -M | grep remote

remoteip_module (shared)

i created file "/etc/httpd/conf.d/remoteip.conf" and add below entry in that.

RemoteIPHeader X-Forwarded-For

RemoteIPInternalProxy 192.168.255.0/24

Below is my custom log file.

LogFormat "%v:%p %{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined

using this in virtualhost like this "CustomLog "logs/sslaccesslog" vhost_combined" and i am getting below log.

websitename.com:443 - - - [09/Oct/2017:05:22:30 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 548 "https://websitename.com/discover/?ref=StartGrowing" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

It looks like data from X-forward should come there which is missing after "websitename.com:443 "

Can you please tell me if i am missing anything there.

In CentOS, the default LogFormat lines look like:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

The above uses %h, which is the "Remote hostname or IP address" for the real remote (in this case the loadbalancer).

So you need to change %h to %a which is the "Client IP address" supplied by the remoteip module after the RemoteIPHeader directive has been parsed.

LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b" common

More details about this behaviour and %a can be found in the docs: http://httpd.apache.org/docs/current/mo … oteip.html">http://httpd.apache.org/docs/current/mod/mod_remoteip.html

Hello,

I used that as well as below is my configuration right now.

LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%a %l %u %t \"%r\" %>s %b" common

CustomLog "logs/sslaccesslog" combined

Still, i am getting below error log.

192.168.255.57 - - [09/Oct/2017:10:00:32 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 47 "https://website.com/wp-admin/edit.php?posttype=course" "Mozilla/5.0 (Macintosh; Intel Mac OS X 1012_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

Here IP "192.168.255.57" is load balancer private IP

I'm guessing that one of the following is wrong:

Check with Linode that their nodebalancer uses X-Forwarded-For, its possible that they use a different header.

Change the RemoteIPInternalProxy setting to something different, like 192.168.255.0/24

If you use HTTPS, then make sure it terminates at the nodebalancer. Otherwise the nodebalancer won't be able to set the X-Forwarded-For header (because the packets are encrypted).

user -> https -> nodebalancer (can't decrypt) -> https -> web server (logs the nodebalancer ip)

user -> https -> nodebalancer (decrypt, add header) -> http -> web server (logs the user ip)

I am using TCP port instead of HTTP forwarding because i was getting the error while using HTTP forwarding.

Well, if you use TCP then you are terminating HTTPS (SSL/TLS) connections at your web server, so you won't be able to see the user's real IP address.

You need to switch from TCP to HTTP/HTTPS on the nodebalancer and setup your encryption keys there.

What kind of error did you receive when you tried HTTP forwarding?

I am running https on my website so when i try to forward that on https to http or https.

I am getting redirect loop issue as i am running WordPress and this is setup with https.

unfortunately you don't have many options:

1) keep nodebalancer TCP forwarding and terminate HTTPS on the webserver, but you loose the user's IP

2) change to terminating HTTPS at the nodebalancer with HTTP forwarding, and log the user's IP correctly

But with the second option, you need to modify your wordpress to accept plain HTTP connections, with special care for the wordpress template to use HTTPS links in the generated html content.

In my case, I set the following in my wp-config.php:

define('WP_HOME', 'https://…');

define('WP_SITEURL', 'https://…');

define('WPCONTENTURL', 'https://…');

I also changed the template links, so everything is https and I made sure that my .htaccess didn't redirect plain http connections.

Maybe I made more changes, I don't remember, it has been many years since I did that.

So i need to change the node balancer connection from TCP to HTTPS.

Can you please give me the configuration setting for Nodebalancer so i can check with mine as wll as on which port i will need to add nodes.

I no longer use the linode's nodebalancer because I need to host 10+ certificates and the nodebalancer only supports one certificate, thus I've setup a server with haproxy, which is useful for more complex setups.

Take a look at this guide, maybe its helpful to you:

https://www.linode.com/docs/platform/no … figuration">https://www.linode.com/docs/platform/nodebalancer/nodebalancer-ssl-configuration

Otherwise contact linode's support via a ticket.

Can you please tell me if i can terminate the session at server end like you have given below.

In my case, I set the following in my wp-config.php:

define('WP_HOME', 'https://…');

define('WP_SITEURL', 'https://…');

define('WPCONTENTURL', 'https://..

If i will do that, in that case, i will not get the redirect loop issue.

Please correct me if I am wrong.

Also with that can you please give me HAProxy Guide you followed to setup the Load Balancer

I made the above changes to wp-config.php because I'm terminating HTTPS at the haproxy server, NOT at the web server. You can try them on your system but I don't know anything about your setup, so I can't really say if that change is the only thing you need or if it will work or not.

To setup my haproxy server, I used this project. Its for CentOS 7, but you can take a look at the haproxy configuration and copy it.

okay, Thanks for your update.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct