Determining User IP Behind Load Balancer (Apache/Linux)

Cloud Server with Linux and Apache HTTP Server

If Apache is behind a load balancer, the actual IP of the user is overwritten by the IP of the load balancer. The Apache logfile now only contains the address of the load balancer. We show you how you can also log the original user IP under certain conditions.

In this case, the HTTP protocol contains the X-Forward For header. This header is used to transmit the IP address of the user when accessing a web server through a proxy or load balancer. However, since Apache does not take this header into account by default, the Apache configuration must be adjusted here.

Note

For technical reasons, the "Load Balancer"-side transmission of the IP - and thus the solution described here - only works with unencrypted accesses. If the call is made via HTTPS, however, no header entry can be made, since communication between client and web server is completely encrypted (it is not possible to install a separate SSL certificate on the load balancer).

To customize Apache's logging setting to include the X-Forward-For header:

  • In the Apache configuration file apache2.conf (CentOS: httpd.conf), add a log format entry with the variable %{X-Forwarded-For}i.

    An example of a LogFormat directive (named "proxy"):

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" proxy
  • Add a CustomLog entry for the desired domains in the configuration files of the corresponding virtual hosts.

    In the following example, Apache is instructed to store data for domain.tld in the access.log file using the "proxy" log format:

<VirtualHost domain.tld:80>
.
#CustomLog logs/access.log combined
CustomLog logs/access.log proxy
.
</VirtualHost>
  • Restart the Apache service for the change to take effect.