[Gllug] Apache as web accelerator: forwarding the client's real IP address

Richard Jones rich at annexia.org
Mon Sep 25 10:18:58 UTC 2006 

We have a setup here where we're running Apache (with mod_proxy) as a
web accelerator[1] in front of our real web servers:

                |
                | client request
                V
	+----------------+
	| Apache +       |
        | mod_proxy as   |  ==> request logging
        | accelerator    |
        +----------------+
            |        |
            |        |
	    V        V
   +----------+  +-----------+
   | httpd1   |  | httpd2    | etc.
   +----------+  +-----------+

This all works well.  However the problem is that the back-end web
servers don't see the clients' real IP addresses.  This causes some
problems - eg. in blocking rogue IPs, WordPress moderator requests
(which contain the client IP), anonymous MediaWiki edits which record
against the client IP, etc.  Because the back-end web servers are only
connected to the web accelerator, they always report its address
(ie. 10.x.x.x).

Seems like the solution to this is for the accelerator to pass the
client's IP address through to the back-end web server as an
additional HTTP header, sort of like:

  X-Real-Client-IP: 128.4.5.6

However I can't see any way to enable this in mod_proxy, nor if there
is some sort of standard header that I should be using.  For example,
can back-end webservers be configured to substitute the client IP
address given in an HTTP request header, instead of what they'd
normally get out of getpeername/request_rec?

Rich.

[1] Actually the real technical reason to front it like this wasn't so
much for web acceleration, but because we run lots of web servers with
strange technical requirements, and it's impossible to get all the
different custom Apache modules to play together nicely in a single
webserver, and even if it could be done, I doubt it'd be very
reliable.

-- 
Richard Jones, CTO Merjis Ltd.
Merjis - web marketing and technology - http://merjis.com
Internet Marketing and AdWords courses - http://merjis.com/courses - NEW!
Merjis blog - http://blog.merjis.com - NEW!
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list