Skip to main content

Restoring visitors IP with mod_remoteip

Aaron Horsley
  • Updated

Introduction

Sometimes you'll have traffic come from another source such as Cloudflare, another proxy source, or a dedicated firewall. Apache offers mod_remoteip which will allow you to restore the original visitor address.

Per the Apache documentation:

It is critical to only enable this behavior from intermediate hosts (proxies, etc) which are trusted by this server, since it is trivial for the remote useragent to impersonate another useragent.

 

Procedure

First, install this via yum or through EasyApache and search for ea-apache24-mod_remoteip.

yum install ea-apache24-mod_remoteip


Next, create or modify the configuration file for mod_remoteip.

 

nano /etc/apache2/conf.modules.d/370_mod_remoteip.conf

 
Within this file, you need to configure the address you need to proxy. The contents of the remoteip.conf file will represent your proxy server, if this is using an internal network, you'll use RemoteIPInternalProxy instead of RemoteIPTrustedProxy.

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 192.168.1.51

 

RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 192.168.1.51


If there are additional addresses you need to add, you can do this by adding them one after the other.

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 192.168.1.51 10.10.10.20

 

If you are using CloudFlare, the following example can be used, however, for the most up to date list of IPs, you should compare with CloudFlare:

 

RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 131.0.72.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 2400:cb00::/32
RemoteIPTrustedProxy 2606:4700::/32
RemoteIPTrustedProxy 2803:f800::/32
RemoteIPTrustedProxy 2405:b500::/32
RemoteIPTrustedProxy 2405:8100::/32
RemoteIPTrustedProxy 2a06:98c0::/29
RemoteIPTrustedProxy 2c0f:f248::/32

 

Once that has been done, you'll need to go to

  • Home »
  • Service Configuration »
  • Apache Configuration »
  • Global Configuration

 

Modify both of the LogFormat options, combined and common by replacing the "h" with an "a".
 
%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"

 

This format captures the header with the %h field which is the proxy address in our example. Because we want the originating client IP address instead of the remote IP being logged, we replace this with an %a. 

"%a %l %u %t \"%r\" %>s %b \"%{Referer}i\ \"%{User-Agent}i\"


Save and restart Apache and that should handle this.

Related articles