I have a load balancer and two servers. I want to add X-Forwarded-For in my apache so that I can see the IP of the request as opposed to seeing the load balancer IP for every request. How would I do this? I looked it up and X-Forwarded-For: client, proxy1, proxy2 looks like a solution. Would client be the load balancer IP, proxy1 be Server 1's IP, and proxy2 be Server 2's IP?
Asked
Active
Viewed 2.2k times
2
1 Answers
7
I assume you already referenced http://en.wikipedia.org/wiki/X-Forwarded-For - which is likely where you copied your X-Forwarded-For: client, proxy1, proxy2 format from.
I also assume you're using a dedicated load balancer (something other than Apache HTTPD), which directs traffic to your "servers" - with your "Apache" included on each server, and that you know how to configure your load balancer to pass this header.
I think the missing piece that you need to understand is this (also from the Wikipedia page):
where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request.
I.E., if your load balancer is the only proxy that a given request goes through (at least, the only one that adds a X-Forwarded-For header), then the header will only include one value - that of your load balancer.
Assume you are handling a request from a client with 203.0.113.1, and that request comes through your load balancer that has an IP of of 192.0.2.1. Your Apache HTTP instance running on one of your 2 servers should then see the request as coming from 192.0.2.1, with: X-Forwarded-For: 203.0.113.1.
In order to see this header in your Apache HTTPD logs, you need to use something like this:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D \"%{Host}i\" \"%{X-Forwarded-For}i\"" custom
The load balancer's IP (192.0.2.1) will still show as the 1st field (%h) in the log entry, but the last field (\"%{X-Forwarded-For}i\") will contain the client's IP(s) - in this case, 203.0.113.1. If the client is behind additional proxies that also report X-Forwarded-For, then will be a comma-separated list - with the left-most address being the "closest" to your servers - I.E., the one that your load balancer received the request from.
ziesemer
- 27,712
- 8
- 86
- 94
-
Thanks! So what exactly do I put in my apache config if my load balancer IP is `192.0.2.1`? X-Forwarded-For: 192.0.2.1 ? – bigpotato Sep 16 '13 at 18:11
-
@Edmund - you don't specify the `X-Forwarded-For` anywhere in your Apache configuration (other than to include its value in the logging format, as mentioned above). Your load balancer should be setting this as an additional HTTP header on the request that will be received by one of your Apache HTTP instances. – ziesemer Sep 16 '13 at 18:14
-
So all I have to do is add `LogFormat ...` to my apache and reload it? – bigpotato Sep 16 '13 at 18:16
-
@Edmund - as long as you have successfully configured your load balancer to provide this header, and as long as all you want to do at this point is see it reported in your access logs: Yes. – ziesemer Sep 16 '13 at 18:17
-
Actually nothing in my log file changed... I still see my load balancer IP in my logs – bigpotato Sep 16 '13 at 18:42
-
@Edmund - as I noted above, you won't see a change in the 1st field (`%h`) in the log entry - but if you've altered your log format (along with a matching `CustomLog` statement, you should see the X-Forwarded-For values at the end of each log line. Again, you'd also need to check that your load balancer is actually creating and sending this header. (Alternatively, if you moved to something like DNS load balancing instead of a NAT or proxy model, then Apache would actually "see" the requests as the client IPS that they actually came from.) – ziesemer Sep 16 '13 at 18:48