Also, there are a few similar questions/problems that refer to the same issue:
> How do I capture client IP addresses in the web server logs behind an elastic load balancer?
> How to Get the Source IP Behind the Load Balancer?
> Getting the request’s source IP behind the Reverse Proxy?
When a load balancer or reverse proxy is used, client requests first reach the load balancer, which then forwards them to the backend servers that serve and prepare real response. Because of this middle man, the backend server sees the load balancer's IP / reverse proxy IP instead of the client's real IP.
So inside server logs or your application, real client IP is not available and if you are implementing new feature which requires user's IP Address this might be a problem.
Short description
Your web server access logs capture the IP address of your load balancer/reverse proxy because the load balancer establishes the connection to your instances.
To capture the IP addresses of clients in your web server access logs, application configure the following:
- For Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners, add the X-Forwarded-For HTTP header to capture client IP addresses.
- For Classic Load Balancers with TCP/SSL listeners, configure proxy protocol support on the Classic Load Balancer and the target application.
- For Reverse Proxy case, make sure X-Forwarded-For HTTP header is being passed by Proxy server when getting content to forward.
When working with load balancers and backend servers, it’s important to understand how client IP addresses are handled. By default, many load balancers do not forward the actual client IP addresses to the backend servers. Instead, the backend servers only see the private IP address of the load balancer itself. In this case additional settings or rules need to be implemented.
The problem
$_SERVER['REMOTE_ADDR'] - return Load Balancer IP or Reverse Proxy IP.
In server access.log - Client IP - return Load Balancer IP or Reverse Proxy IP.
This guide will walk you through the process of enabling client IP forwarding from Load Balancer / Reverse proxy, setting up configuration in your web server to receive real client IP.
Prerequirements
We have: Ubuntu 22.04, Apache2, AWS Load Balancer, Apache2 as Reverse Proxy
Solution 1: For Apache2 HTTP server
Ubuntu 22.04, Apache2
For Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners Apache2 Servers
Main step:
Edit Apache2 server configuration file /etc/apache2/apache2.conf and edit line where Access log formats are defined, in our case it's "LogFormat" section, and add %{X-Forwarded-For}i, as following example shows:
%{X-Forwarded-For}i - was added to LogFormat combined
Solution 2: For Apache2 HTTP server using module mod_remoteip
Ubuntu 22.04, Apache2
Using mod_remoteip (this Apache2 module need to be enabled)
On the server, update the webserver config file for main host or virtual host where detection of real client IP is needed. The configuration file is usually named after the website or virtual host it corresponds to, and has a .conf extension. You can find this file in the /etc/apache2/sites-available/ directory.
Example: /etc/apache2/sites-available/000-default.conf
More documentation on Apache2 module mod_remoteip
RemoteIPTrustedProxy <balancer/proxy ip or range>
#or
RemoteIPHeader X-Client-IP
Add this code (first line if LoadBalancer, second line if Proxy) to the host configuration section, inside virtual host tag.
<balancer/proxy ip or range> - IP (Example: 10.0.2.16/28)
sudo a2enmod remoteip
#Restart apache2
sudo systemctl restart apache2
Here, we are enabling required remoteip module and rebooting Apache2. after that, in access log - correct IP address of a client be listed.
Conclusion
In this tutorial we manage to get real clients IP, retrieve it, check the X-Forwarded-For (XFF) or X-Real-IP headers and store the original client IP in access log.