Get client public ip on apache server used behind load balancer

Posted December 4, 2017 28.2k views
ApacheLoad BalancingUbuntu 16.04

We have to apache servers behind DO LB, is there any setting we need to do in LB or apache to get this as HTTP_FORWARDED_FOR, HTTPS_X_FORWARDED_FOR and REMOTE_ADDR are not working.

edited by asb

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

DigitialOcean Load Balancers set the X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port headers to give backend nodes information about the original request. For the original client’s IP address to appear in your logs, you’ll need to make a few configuration changes.

First, make sure that mod_remoteip is enabled. On an Ubuntu or Debian instance, you can do this with:

  • sudo a2enmod remoteip

Next, there are two changes that you will need to make to your Apache configuration (located at /etc/apache2/apache2.conf on Ubuntu and Debian). You’ll need to add this line:

RemoteIPHeader X-Forwarded-For

As well as make an edit to the LogFormat line that matches the one used in your virtual host. By default that is the combined format. It would look like this in your virtual host config:

        CustomLog ${APACHE_LOG_DIR}/access.log combined

Find the matching LogFormat line in your Apache conf and change:

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined


LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

This tells Apache to log the client IP as recorded by mod_remoteip (%a) rather than hostname (%h). For a full explanation of all the options, see the Apache docs here.

For more information on configuring custom logging directives in Apache, check out:

by Justin Ellingwood
Apache can be configured to log a large quantity of information to help you diagnose problems and keep an eye on activity. In this guide, we will discuss how Apache handles logging and how you can create your own custom logging rules and rotation schemes.

Will this work with LB configured for ssl passtrough?

  • Yes, my apache configuration (SSL passthrough using F5 load balancer):

    RemoteIPHeader X-Forwarded-For

    LogFormat “%a %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"” combined
    LogFormat “%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"” proxy

    It’s a must to use %a instead of %h to extract X-Forwarded-For header.

    For logs related to https:
    ErrorLog /opt/LOGS/ssl-error.log
    SetEnvIf X-Forwarded-For “^.......” forwarded
    CustomLog /opt/LOGS/ssl-access.log combined env=!forwarded
    CustomLog /opt/LOGS/ssl-access.log proxy env=forwarded

    But my apache servers have DG pointing towards the firewall interface, so it’s necessary the use of snat for internal access in F5 load balancers (to avoid asymmetric routing). I use an irule to tranlate only internal requests towards apache servers (backends).