How to get the real accessing IPs behind a load-balancing proxy

If you are using a load-balancing proxy such as squid, apache itself or pound, you will only find the proxy’s IP in your backend apache’s access/error logs. I tested two apache modules which replace the proxy’s IP by the X-Forwarded-For-IP provided by your load-balancing proxy: mod_rpaf and mod_extract_forwarded.

If you are running Debian, the easier installation will be mod_rpaf since it is provided in the (stable) sarge tree as well as in the (unstable) sid tree. The sid version will run smoothly under (testing) etch. As long as you are loggin IP addresses, the mod_rpaf is doing a great job. As soon as you are setting HostnameLookups On though, you will find your proxy’s hostname in the logs again – which is not what I wanted.

On OpenInfo you can download (local copy) the other solution I found, mod_extract_forwarded. Just download it to your apache server and extract the tar-archive. As found in the module’s documentation you should comment out the line

#define USING_proxy_http_module 1

by preceeding it with two slashes (//). This will be necessary if your apache server doesn’t load mod_proxy at this time (which backend servers usually don’t). Just don’t forget to remove the slashes again should you need and load mod_proxy some time later.

Compile the module by issuing

apxs2 -c -i -a mod_extract_forwarded.c

and you will find your module in your apache’s modules directory. The -a option will add a line to your apache configuration files which will then load the module automatically on every server (re-)start. The line will look like this – in case you have to remove it again:

LoadModule extract_forwarded_module /usr/lib/apache2/modules/

Within your site configuration (somewhere above the DocumentRoot line) you have to enable the module. Be sure to enter only the IP address of YOUR load-balancing proxy, no other proxies or even all proxies, otherwise you could find many fake IP addresses in your logs. Here are the configuration lines, be sure to change to YOUR load-balancing proxy’s IP address as it is seen by your apache-server (usually the IP you find for every access in your logs so far):

MEForder refuse,acceptMEFrefuse allMEFaccept

Restart your server and you should find the real IP addresses of your visitors in your logs.

Leave a Reply