In this tutorial, we’ll configure both HAProxy and Apache2 to ensure that the client’s real IP address is forwarded and logged on the backend server.
What to do
- Learn why client IP forwarding is needed.
- Configure HAProxy to forward client IPs.
- Adjust Apache settings to handle forwarded IPs.
- Test the setup to ensure it works.
- Troubleshoot any issues if needed.
When working with a reverse proxy such as HAProxy in front of an Apache2 web server, preserving the client’s original IP address is crucial for accurate logging and analysis.
Understanding the X-Forwarded-For Header
In a typical reverse-proxy setup, the backend server views the proxy’s IP address as the client’s address. To forward the actual client IP address, we use the X-Forwarded-For HTTP header.
Examining Backend Logs Before Configuration
Before implementing our configuration, the backend Apache2 web server logs only show the IP address of the HAProxy server instead of the actual client IP.
Configuring HAProxy to Forward the Client IP
SSH into your HAProxy server and open /etc/haproxy/haproxy.cfg. Within the backend section designated for the Apache2 server, add the following lines:
backend Apache2_Server
mode http
option forwardfor
http-request set-header X-Real-IP %[src]
These directives do the following:
mode httpsets the processing mode to HTTP.option forwardforadds theX-Forwarded-Forheader automatically.http-request set-headerexplicitly sets the headerX-Real-IPwith the client’s source IP address.
After adding these lines, save and exit the file.
Enabling the Remote IP Module on Apache2 Server
Next, SSH into your Apache2 server and enable the remoteip module:
sudo a2enmod remoteip
The remoteip module substitutes the client IP address with the one provided by the HAProxy server through the X-Forwarded-For header.
If the remoteip module is not available, consider installing or updating your Apache2 server using guides available at Linuxbeast, such as Install Apache2 on Ubuntu.
Once the remoteip module is enabled, update the main Apache2 configuration file typically located at /etc/apache2/apache2.conf. Add the following line to trust the HAProxy server and designate which headers to capture:
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy <HAProxy-Server-IP>
Make sure to replace <HAProxy-Server-IP> with the actual IP address of your HAProxy server.
Validating and Restarting Apache2
It’s essential to test your Apache2 configuration for syntax errors:
sudo apache2ctl configtest
Upon receiving a “Syntax OK” message, proceed to reload or restart your Apache2 server:
sudo systemctl restart apache2
Confirming the Results
After implementing the changes, your backend Apache2 web server logs should now record the actual client IP addresses, not just the address of the HAProxy server. This will greatly improve your ability to track and analyze traffic coming into your web servers.
By following this tutorial, you’ve successfully configured client IP forwarding from HAProxy to Apache2, enabling more precise logging and administration of your web environment.