Skip to main content

Using rpaf Apache module to preserve client IP

Suppose you have two web servers on your network, public Server A and private Server B. Maybe you want to publish some sections of your private server on internet using Apache proxy module. In this example, “users” path on www.server_a.com is redirected to www.server_b.com/users , because Server A is in the same private network as Server B is, Server A knows how to reach Server B and redirects the web requests to it. The problem here is that Server B will always have the IP of Server A in all requests (192.168.20.50).

Server A
Public IP: 85.164.26.20
Private IP: 192.168.20.50

 ProxyRequests Off
 ProxyPreserveHost On
 ProxyPass /users http://www.server_b.com/users
 ProxyPassReverse /users http://www.server_b.com/users

Server B
Private IP: 192.168.20.51

To solve this problem you can use rpaf module for Apache2. Explanation from the author:

“It changes the remote address of the client visible to other Apache modules when two conditions are satisfied. First condition is that the remote client is actually a proxy that is defined in httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in it's list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure.”

In this case rpaf translates the remote address 192.168.20.50 to real client address sent in X-Forwarded-For header.

1- Install rpaf module on Server B

# apt-get install libapache2-mod-rpaf

2- Configure your virtualhost in Server B to use rpaf module:

RPAFenable On
RPAFsethostname On
RPAFproxy_ips 192.168.20.50

3- Restart apache

# apachect restart

Now, you will see the real client IP in your apache access logs.