Home » Random Goodies » mod_rpaf and mod_remoteip

mod_rpaf and mod_remoteip

As most of us continue to expand our web footprints, we tend to use load balancers and reverse caching proxies to better handle and spread server loads. When doing so however, we still want to see the originating client IP, and not the IP used by HAProxy, Nginx, Varnish, etc.

For this we need to use mod_rpaf for Apache 1.3 & 2.2.x and mod_remoteip for Apache 2.4 and 2.5. Let’s being…

Apache 1.3 & 2.2.x mod_rpaf installation and configuration:

# cd /usr/local/src
# wget https://mirror.gurutek.biz/mod_rpaf-0.6.tar.gz
# tar xzf mod_rpaf-0.6.tar.gz
# cd mod_rpaf-0.6

For Apache 2.2.x:
# apxs -cia mod_rpaf-2.0.c

For Apache 1.3:
# apxs -cia mod_rpaf.c

At this point you will have mod_rpaf installed in your Apache modules directory. Please note, httpd-devel is required for apxs support.

Now, for the configuration part. Create an include config file or use /usr/local/apache/conf/includes/pre_virtualhost_global.conf if this is for a cPanel server:

LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 1.2.3.4 5.6.7.8 9.0.1.2
RPAFheader X-Forwarded-For

Once your config file is loaded, you will need to restart your web server for the changes to take affect. Please note, you will want to replace the IP’s with the ones doing the forwarding. That pretty much concludes RPAF config, your access logs should now be showing the actual client values as long as the header is properly passed from HAProxy, Nginx, Varnish, or whatever it is you use.

For mod_remoteip, it’s a bit similar. First we get the source, compile and install the module:

# cd /usr/local/src
# wget https://svn.apache.org/repos/asf/httpd/httpd/trunk/modules/metadata/mod_remoteip.c
# apxs -n remoteip -cia mod_remoteip.c

Now we create the following config file for it, be it custom, or pre_virtualhost_global.conf for cPanel as mentioned above:

LoadModule remoteip_module modules/mod_remoteip.so

RemoteIPHeader X-Real-IP
RemoteIPInternalProxy 1.2.3.4
RemoteIPInternalProxy 5.6.7.8

RemoteIP however has a lot more configuration options which can be found at:

RemoteIPInternalProxy 1.2.3.4

To verify if either of the two modules are compiled in or loaded as a dynamic module, you can issue the following command:
# paste <(httpd -l 2>&1) <(httpd -M 2>&1)|egrep 'remoteip|rpaf'

As usual, comments are welcome 😉