httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Rumph <>
Subject Re: [users@httpd] mod_remoteip not setting client's ip with AWS ELB
Date Thu, 02 Oct 2014 16:04:44 GMT
Hello Christopher,

Since you are running 2.4.10, you have the latest mod_remoteip fixes.
But I think the problem is in the directives that you are using:

      RemoteIPHeader X-Forwarded-For

If you only use the RemoteIPHeader directive, then the default is to 
treat all proxies as external trusted proxies.
Having RemoteIPTrustedProxy set for all your proxies would have the same 

I assume by your mask that this matches your proxy addresses.
But is a mask for internal IP addresses.
So your proxies will not be accepted as external proxies.
And your true client ip address will not be used.

Try the following directives instead:

RemoteIPHeader X-Forwarded-For

Let us know if this works for you.


Mike Rumph

On 10/2/2014 6:46 AM, Christopher Schultz wrote:
> Mike,
> On 10/1/14 5:40 PM, Mike Rumph wrote:
>> What version of Apache httpd are you running?
> Thanks for the reply. We are running 2.4 and 2.2 on various servers, but
> I'm starting with this one:
> Server version: Apache/2.4.10 (Amazon)
> Server built:   Jul 30 2014 23:57:28
> This is the httpd package that Amazon bundles with its Amazon Linux. If
> possible, I'd prefer to continue to use their packages.
>> There have been some mod_remoteip fixes in recent 2.4.x releases.
>> You could also try setting up some LogFormat directives as in bug 55635
>> to get more information on this.
>> -
> I'll modify my log format and post what I get under various circumstances.
> FWIW, I currently have no "Allow" or "Deny" directives in effect. I was
> planing eventually to say "Allow from 10/8" or something equivalent to
> only allow connections to this virtual host from the load-balancer. If
> that's not going to work, it's easily done at the OS or firewall level.
> Thanks,
> -chris
>> On 10/1/2014 11:00 AM, Christopher Schultz wrote:
>>> All,
>>> I'm trying to get httpd working behind an AWS ELB but still using the
>>> remote client's information whenever possible.
>>> ELB provides the X-Forwarded-For, X-Forwarded-Port, and
>>> X-Forwarded-Proto HTTP headers. My configuration looks like this:
>>>       RemoteIPHeader X-Forwarded-For
>>>       #RemoteIPTrustedProxy
>>> (I commented-out the RemoteIPTrustedProxy line to see if that was the
>>> problem, and it does not appear to have changed the behavior).
>>> My true client IP address is and I'm making a request
>>> through the load balancer. I'm using PHP's "phpinfo()" to dump
>>> everything about the request. I can see that the X-Forwarded-For header
>>> has been /removed/ from the request (which mod_remoteip says will
>>> happen), but I'm still getting the ELB's IP address in my access logs:
>>> - - [01/Oct/2014:17:59:27 +0000] "GET /info.php HTTP/1.1"
>>> 200 72810 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
>>> Gecko/20100101 Firefox/32.0"
>>> I have definitely restarted httpd and mod_remoteip is definitely enabled
>>> (no errors on start, X-Forwarded-For header is being removed from the
>>> headers).
>>> Am I missing something in my configuration?
>>> Thanks,
>>> -chris
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message