Configure Apache with Load-balancer / Proxy

If your Apache website is under a load-balancer or proxy, some features might not work very well. The proxy, for example, might “hide” the true IP from clients, the address your application sees in REMOTE_ADDR attribute (PHP, for example) will be the IP of the proxy renders IP-ban in .htaccess useless.

If such things happen, time to do some configuration. First, you need to enable the mod_remoteip module to handle requests through a proxy. It will allow you to “rewrite” some headers in the request to make your web application to know the true client IP.

Open your httpd.conf in a text editor and uncomment this line:

#LoadModule remoteip_module modules/mod_remoteip.so

by removing the # character at the beginning of line.

Now you need to configure the remote IP address. Depends on what do you have,  you might add a line to httpd.conf

for a load-balancer:

RemoteIPHeader X-Client-IP

for a proxy:

RemoteIPHeader X-Forwarded-For

This will let Apache how to get the true client IP to put into REMOTE_ADDR header.

now you can configure the “proxy” or load-balancer you trust:

RemoteIPInternalProxy 10.0.2.0/24

How does /24 in the IP mean in this case? /24 means that this allow a range of IPs which match the first 24 bit.

As we all know IPv4 is a 32 bit value, aka 4 bytes. So 3 first bytes 10.0.2 must match, and the last byte can be from 0-255. So 10.0.2.0/24 will accept 10.0.2.0 to 10.0.2.255. This is usually the range of your “internal network”.

/24 is not the only option, you can have /8 (only matches the first byte, so 10.0.2.0/8 will match 10.0.0.010.255.255.255), and /16 (10.0.0.0 to 10.0.255.255), or /32 (only exact IP address is accepted, so 10.0.2.0/32 is same as 10.0.2.0 only)

It’s important to note that you can have multiple `RemoteIPInternalProxy` configuration. For example your site can be under a public proxy (CloudFlare, for example) and a private proxy. Just add both of those IPs, each with a line of `RemoteIPInternalProxy`, and you’re good to go.

Now, just restart your Apache service and it should work. Try to add your own IP in to the deny list in .htaccess to see if you get yourself banned 😉

Leave a Reply

Your email address will not be published. Required fields are marked *