Apache : log real IP addresses behind a reverse proxy

Jan 10, 2022 by Thibault Debatty | 361 views



It's quite common now to run your web application behind a reverse proxy or a loadbalancer. This is typically the case if you are running your application in a Kubernetes cluster. In this case, the IP address that is logged by Apache is the IP of the proxy server, which is quite misleading and useless. To get Apache to log the real IP address of the clients, you will have to enable and configure the module remoteip.


Enable the remoteip module:

sudo a2enmod remoteip

Add the following configuration to /etc/apache2/conf-available/remoteip.conf:

# /etc/apache2/conf-available/remoteip.conf
# https://cylab.be/blog/194/fix-apache-logs-behind-a-reverse-proxy

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy <ip.of.proxy>

Obviously, you must replace <ip.of.proxy> by the actual IP of the proxy server. If you have multiple IP addresses, you can list them...

And enable the configuration with:

sudo a2enconf 

Finally, restart the Apache server:

sudo service apache2 restart