HAProxy and real IP addresses in Apache2 using the RPAF module

If you’re using a reverse proxy and want to see the client’s real IP addresses instead of the proxy’s localhost address in Apache2’s log file (or any Apache-based web application which reports the client’s IP address), you might want to have a look at the RPAF module.
The RPAF (Reverse Proxy Add Forward) module will enable Apache2 to report the client’s real IP address through a reverse proxy (like HAProxy). The module essentially replaces the proxy’s IP address with the X-Forwarded-For HTTP header set by the proxy.

Here’s how to install the module it in Debian/Ubuntu:

apt-get install libapache2-mod-rpaf
a2enmod rpaf

At least in Ubuntu 12.04, there’s a nasty gotcha in the RPFA’s config file. Here’s what it looks like:

<IfModule mod_rpaf.c>
 RPAFenable On
 RPAFsethostname On
 RPAFproxy_ips 127.0.0.1 ::1
</IfModule>

You have to remove the two IfModule lines in order to make it work.

Additionally, the reverse proxy needs to be told to set/replace the X-Forwarded-For HTTP header. In case of HAProxy:

defaults
  log global
  mode http
  option forwardfor
  ...

2 thoughts on “HAProxy and real IP addresses in Apache2 using the RPAF module

Comments are closed.