Forwarding Client IP Addresses from HAProxy to Apache2 Web Server

In this tutorial, we’ll configure both HAProxy and Apache2 to ensure that the client’s real IP address is forwarded and logged on the backend server.

What to do

  1. Learn why client IP forwarding is needed.
  2. Configure HAProxy to forward client IPs.
  3. Adjust Apache settings to handle forwarded IPs.
  4. Test the setup to ensure it works.
  5. Troubleshoot any issues if needed.

When working with a reverse proxy such as HAProxy in front of an Apache2 web server, preserving the client’s original IP address is crucial for accurate logging and analysis.

Understanding the X-Forwarded-For Header

In a typical reverse-proxy setup, the backend server views the proxy’s IP address as the client’s address. To forward the actual client IP address, we use the X-Forwarded-For HTTP header.

Examining Backend Logs Before Configuration

Before implementing our configuration, the backend Apache2 web server logs only show the IP address of the HAProxy server instead of the actual client IP.

Forwarding Client IP Addresses from HAProxy to Apache2 Web Server

Configuring HAProxy to Forward the Client IP

SSH into your HAProxy server and open /etc/haproxy/haproxy.cfg. Within the backend section designated for the Apache2 server, add the following lines:

backend Apache2_Server
    mode http
    option forwardfor
    http-request set-header X-Real-IP %[src]

These directives do the following:

  • mode http sets the processing mode to HTTP.
  • option forwardfor adds the X-Forwarded-For header automatically.
  • http-request set-header explicitly sets the header X-Real-IP with the client’s source IP address.

After adding these lines, save and exit the file.

Enabling the Remote IP Module on Apache2 Server

Next, SSH into your Apache2 server and enable the remoteip module:

sudo a2enmod remoteip

The remoteip module substitutes the client IP address with the one provided by the HAProxy server through the X-Forwarded-For header.

If the remoteip module is not available, consider installing or updating your Apache2 server using guides available at Linuxbeast, such as Install Apache2 on Ubuntu.

Once the remoteip module is enabled, update the main Apache2 configuration file typically located at /etc/apache2/apache2.conf. Add the following line to trust the HAProxy server and designate which headers to capture:

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy <HAProxy-Server-IP>

Make sure to replace <HAProxy-Server-IP> with the actual IP address of your HAProxy server.

Validating and Restarting Apache2

It’s essential to test your Apache2 configuration for syntax errors:

sudo apache2ctl configtest

Upon receiving a “Syntax OK” message, proceed to reload or restart your Apache2 server:

sudo systemctl restart apache2
Confirming the Results

After implementing the changes, your backend Apache2 web server logs should now record the actual client IP addresses, not just the address of the HAProxy server. This will greatly improve your ability to track and analyze traffic coming into your web servers.

Forwarding Client IP Addresses from HAProxy to Apache2 Web Server

By following this tutorial, you’ve successfully configured client IP forwarding from HAProxy to Apache2, enabling more precise logging and administration of your web environment.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.