Obtaining the connecting clients IP address (Real IP) with Apache

Apache is one of the most popular Open Source webservers available. It is possible to retrieve the connecting users IP address from the X-Real-IP header through the mod_rpaf or mod_remoteip module for Apache 2. If you use mod_rpaf on the backend server you do not need to use any module or server side technology to set the remote_ip of the real client you are serving.

On Apache 2.4 or higher mod_remoteip is available and recommended. For earlier versions mod_rpaf should be used and is detailed below.

mod_remoteip (Apache 2.4)

Module configuration is pretty simple; there are only two directives to set - RemoteIPInternalProxy and RemoteIPHeader. With the former you can define which IP's are your frontend proxies that send the correct X-Forwarded-For headers. If you do not use the RemoteIPInternalProxy directive then the module will not change the remote address of the incoming connection at any time. With the configuration directive RemoteIPHeader you can now change the default X-Forwarded-For to X-Real-IP if you so choose.

Installation of mod_remoteip on Debian

  1. Install the libapache2-mod-remoteip package using your favorite package manager:

    apt-get install libapache2-mod-remoteip
    
  2. Enable mod_remoteip by executing:

    a2enmod remoteip
    
  3. Restart Apache to activate these changes:

    /etc/init.d/apache2 restart
    
  4. Edit the RPAF configuration file at /etc/apache2/mods-available/remoteip.conf with your favorite text editor.

    nano /etc/apache2/mods-available/remoteip.conf
    
  5. Your configuration should be similar to:

    RemoteIPInternalProxy A.B.C.D
    RemoteIPHeader X-Real-IP
    

Where "A.B.C.D" is, add your backend communication addresses, multiple addresses can be space separated. This will tell mod_remoteip which hosts to get X-Real-IP headers from.

mod_rpaf (Apache 2.2 or lower)

Module configuration is pretty simple; there are only two directives to set - RPAFenable and RPAFproxy_ips. With the later you can define which IP's are your frontend proxies that send the correct X-Forwarded-For headers. If you do not use the RPAFproxy_ips directive then the module will not change the remote address of the incoming connection at any time. RPAFsethostname will, when enabled, take the incoming X-Host header and update the VirtualHost settings accordingly.

Apache RPAF version 0.6 or higher gives you the ability to change which header Apache looks at. With the configuration directive RPAFheader you can now change the default X-Forwarded-For to X-Real-IP if you so choose. There are also bugfixes in this version that makes mod_rpaf work correctly with Keep-Alive requests. We recommend using this version or later. mod_rpaf is the most thorough solution for apache2 if you are using AWStats, Webalizer as it retrieves the IP at the server level (not the backend level) so the client IP is stored correctly in logs and statistics.

Installation of mod_rpaf on Debian

  1. Install the libapache2-mod-rpaf package using your favorite package manager:

    apt-get install libapache2-mod-rpaf
    
  2. Enable mod_rpaf by executing:

    a2enmod rpaf
    
  3. Restart Apache to activate these changes:

    /etc/init.d/apache2 restart
    
  4. Edit the RPAF configuration file at /etc/apache2/mods-available/rpaf.conf with your favorite text editor.

    nano /etc/apache2/mods-available/rpaf.conf
    
  5. Your configuration should be similar to:

    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips 127.0.0.1 A.B.C.D
    RPAFheader X-Real-IP
    

Where "A.B.C.D" is, add your proxy server IP address(es), multiple addresses can be space separated. This will tell mod_rpaf which hosts to get X-Real-IP headers from.

Installation of mod_rpaf on CentOS from Source

The below instructions can be used to install mod_rpaf on CentOS 5 and CentOS 6. It can also be used to install mod_rpaf on RHEL and Fedora Core.

Note: You must make sure that the Apache2 Development Package (CentOS httpd-devel) is installed on your server before you start installing mod_rpaf using the below instructions.

  1. Ensure that the package httpd-devel is installed. To install this package run:

    yum install httpd-devel
    
  2. Download and Extract the mod_rpaf package:

    cd /usr/local/src
    wget http://mirror.trouble-free.net/sources/mod_rpaf-0.6.tar.gz
    tar xzvf mod_rpaf-0.6.tar.gz
    cd mod_rpaf-0.6
    
  3. Build and install mod_rpaf:

    apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
    
  4. Add mod_rpaf to Apache configuration:

    nano /etc/httpd/conf/httpd.conf
    
  5. Find the 'LoadModule' list (near the top) and add the following lines at the bottom of the 'LoadModule' list:

    LoadModule rpaf_module modules/mod_rpaf-2.0.so
    RPAFenable On
    RPAFsethostname On
    RPAFproxy_ips 127.0.0.1 A.B.C.D
    RPAFheader X-Real-IP
    

    Important Note: Where "A.B.C.D" is, add your proxy server IP address(es), multiple addresses can be space separated. This will tell mod_rpaf which hosts to get X-Real-IP headers from.

  6. You are now finished. Restart Apache using below commands for the changes to take place:

    /etc/init.d/httpd restart
    

More Information

More information on the X-Real-IP header can be found here. More information on the Apache (httpd) web server can be found on the project website and documentation for the mod_rpaf module.

If you run Apache 2.4 or 2.5, use mod_remoteip instead.