Search our site for answers
Help Docs Server Administration Linux Server Administration Apache Web Server Using Apache’s mod_remoteip to log visitor true IP addresses

Using Apache’s mod_remoteip to log visitor true IP addresses

Log true visitor IPs on cPanel with `mod_remoteip`. Install via EasyApache 4, then configure `X-Forwarded-For` & trusted proxies for accurate logs.
Applications LAMP Stack
5 min read

When your server is behind a reverse proxy, load balancer, or CDN, Apache’s access logs will typically show the IP address of the proxy server instead of the actual visitor’s IP address. Apache’s mod_remoteip module helps you see the original client IP address, which is crucial for accurate logging, statistics, and any IP-based access controls or applications.

This module overrides the client IP address for a request with the IP address reported by a trusted intermediate proxy or load balancer in a specific HTTP header, usually X-Forwarded-For.

Confirming if mod_remoteip is installed on a cPanel server

You can easily check if mod_remoteip is already enabled on your cPanel server via the command line.

First, access your server via SSH.

Next, run the following command to list all loaded Apache modules and search for remoteip_module:

apachectl -M | grep remoteip_module

If mod_remoteip is installed and active, you will see output similar to:

 remoteip_module (shared)

If the command returns no output, the module is not currently enabled.

Installing mod_remoteip via EasyApache 4

If mod_remoteip is not installed, you can easily add it using EasyApache 4 in your WebHost Manager (WHM) interface.

  1. Log into WHM as the ‘root’ user.
  2. In the search bar on the left, type “EasyApache” and click on EasyApache 4.
  3. Under “Currently Installed Packages,” click the Customize button.
  4. Click on the Apache Modules stage in the left-hand navigation.
  5. In the “Search Modules” field, type “remoteip”.
  6. You will see mod_remoteip in the list. Toggle the switch to the right of it to enable it. The system will automatically select it for provisioning.
  7. Click the Review stage in the left-hand navigation.
  8. Verify that mod_remoteip is listed under “Packages to be installed.”
  9. Scroll down and click the Provision button.
  10. Allow the provisioning process to complete. This may take a few minutes. Once done, you’ll see a “Done!” message.

After provisioning, Apache will automatically restart, loading the new module. You can re-run the command:

apachectl -M | grep remoteip_module

to confirm it’s now active.

Configuring mod_remoteip

Once mod_remoteip is installed, you need to configure it by telling Apache which proxy servers to trust and which HTTP header contains the actual visitor’s IP address. This configuration is typically added to Apache’s main configuration file or, more commonly, within a specific include file for user customizations in cPanel environments.

For cPanel servers, the recommended way to add this configuration is through include files to ensure your changes are not overwritten by cPanel updates. You can create a .conf file in the directory /etc/apache2/conf.d/includes/. For example, you could create /etc/apache2/conf.d/includes/remoteip.conf.

Here’s an example configuration:

<IfModule remoteip_module>
    RemoteIPHeader X-Forwarded-For
    RemoteIPTrustedProxy 192.168.1.100
    RemoteIPTrustedProxy 10.0.0.0/24
    # Add additional RemoteIPTrustedProxy directives for each of your trusted proxy IPs or IP ranges.
</IfModule>

Let’s break down these directives:

  • RemoteIPHeader X-Forwarded-For: This line tells mod_remoteip to look for the original client’s IP address in the X-Forwarded-For HTTP header. This is the most common header used by proxies for this purpose. Other common headers include X-Real-IP. Check your proxy or CDN provider’s documentation to confirm the correct header.
  • RemoteIPTrustedProxy 192.168.1.100: This line specifies an individual IP address of a trusted proxy server. Replace 192.168.1.100 with the actual IP address of your proxy.
  • RemoteIPTrustedProxy 10.0.0.0/24: This line specifies a range of IP addresses for trusted proxy servers using CIDR notation. Replace 10.0.0.0/24 with the actual IP range of your proxies.

Important: Only add the IP addresses of servers that you trust to provide accurate information in the RemoteIPHeader. If you trust a malicious proxy, it could spoof IP addresses.

You can add multiple RemoteIPTrustedProxy lines if you have more than one proxy server or IP range.

After creating or modifying your remoteip.conf file (or wherever you choose to place the configuration), you need to test the Apache configuration and then gracefully restart Apache for the changes to take effect.

Test your Apache configuration:

apachectl configtest

If you see “Syntax OK”, you can proceed to restart Apache.

Gracefully restart Apache:

systemctl restart httpd

Once Apache restarts, it will begin using mod_remoteip with your specified configuration, and your access logs should now reflect the true visitor IP addresses.

Verifying the configuration

After configuring mod_remoteip and restarting Apache, you should verify that it’s working correctly:

  1. Access your website through the proxy/CDN.
  2. Check your website’s Apache access logs (usually within /var/log/apache2/domlogs/).
  3. The IP address logged for your connection should now be your actual public IP address, not the IP address of the proxy server.

If you still see the proxy IP, double-check your mod_remoteip configuration, ensure the correct header is specified, and confirm that the proxy IPs are correctly listed as trusted.

By correctly configuring mod_remoteip, you ensure more accurate logging and allow any IP-dependent applications or security rules to function as intended.

Was this article helpful?