How to enable mod_remoteip

Introduction

Apache's mod_remoteip allows Apache to extract the visitor IP from requests received from proxies and load balancers. This enables your website and logs to know the actual visitor IP, rather than the connection showing the proxy or load balancer's IP. This guide will cover how to install and configure mod_remoteip.

Per the Apache documentation:

It is critical to only enable this behavior from intermediate hosts (proxies, etc) which are trusted by this server, since it is trivial for the remote useragent to impersonate another useragent.

Procedure

1) Install mod_remoteip.

A) Run the following command as root.

yum install ea-apache24-mod_remoteip

2) Configure mod_remoteip.

A) Place the following in the /etc/apache2/conf.d/includes/pre_virtualhost_global.conf file.

<IfModule remoteip_module>
 LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
 RemoteIPHeader X-Forwarded-For
 RemoteIPTrustedProxy 198.51.100.1 198.51.100.2
</IfModule>

B) Adjust the configuration as needed. More information about the log format can be found in the official Apache documentation.

RemoteIPHeader should be replaced with the header used to pass the visitor IP from the proxy or load balancer. Typically, this will be one of the following. Note that Nginx with Reverse Proxy (ea-nginx) uses the X-Forwarded-For header.

• X-Forwarded-For
• X-Client-IP
• X-Cluster-Client-IP
• CF-Connecting-IP

RemoteIPTrustedProxy should contain the IPs for the proxies or load balancers, separated by spaces.

If your server resides in a NAT environment, you will need to use RemoteIPInternalProxy instead of RemoteIPTrustedProxy.

3) Test the configuration.

Run the following command to check the Apache configuration. Any errors will need to be resolved before proceeding.

apachectl -t

4) Restart Apache with the following command.

/scripts/restartsrv_httpd