Capturing user IP behind load balancer (Apache/Linux)

Valid for Cloud Servers, VPS+, Dedicated Servers, and Value Servers running Linux and Apache HTTP Server.

This article explains how to capture the original user IP behind a load balancer by considering the X-Forwarded-For header in the Apache configuration on Linux.

If Apache is located behind a load balancer, the user's actual IP address is overwritten by the load balancer's IP address. The Apache log file will then only contain the load balancer's address. We'll show you how, under certain conditions, you can also log the original user IP address.

The HTTP protocol provides the X-Forward-For header for this scenario. This header is used to transmit the user's IP address when accessing a web server through a proxy or load balancer. Since Apache does not use this header by default, the Apache configuration must be adjusted.

Note

For technical reasons, the "Load Balancer"-side transmission of the IP - and thus the solution described here - only works with unencrypted accesses. If the call is made via HTTPS, however, no header entry can be made, since communication between client and web server is completely encrypted (it is not possible to install a separate SSL certificate on the load balancer).

To customize Apache's logging setting to include the X-Forward-For header:

In the Apache configuration file apache2.conf (CentOS: httpd.conf), add a log format entry with the variable %{X-Forwarded-For}i.

An example of a LogFormat directive (named "proxy"):

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" proxy

Add a CustomLog entry for the desired domains in the configuration files of the corresponding virtual hosts.

In the following example, Apache is instructed to store data for domain.tld in the access.log file using the "proxy" log format:

<VirtualHost domain.tld:80>
.
#CustomLog logs/access.log combined
CustomLog logs/access.log proxy
.
</VirtualHost>

Restart the Apache service for the change to take effect.