HAProxy and real IP addresses in Apache2 using the RPAF module

If you’re using a reverse proxy and want to see the client’s real IP addresses instead of the proxy’s localhost address in Apache2’s log file (or any Apache-based web application which reports the client’s IP address), you might want to have a look at the RPAF module.
The RPAF (Reverse Proxy Add Forward) module will enable Apache2 to report the client’s real IP address through a reverse proxy (like HAProxy). The module essentially replaces the proxy’s IP address with the X-Forwarded-For HTTP header set by the proxy.

Here’s how to install the module it in Debian/Ubuntu:

apt-get install libapache2-mod-rpaf
a2enmod rpaf

At least in Ubuntu 12.04, there’s a nasty gotcha in the RPFA’s config file. Here’s what it looks like:

<IfModule mod_rpaf.c>
 RPAFenable On
 RPAFsethostname On
 RPAFproxy_ips ::1

You have to remove the two IfModule lines in order to make it work.

Additionally, the reverse proxy needs to be told to set/replace the X-Forwarded-For HTTP header. In case of HAProxy:

  log global
  mode http
  option forwardfor

2 replies on “HAProxy and real IP addresses in Apache2 using the RPAF module”

Comments are closed.