1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>mod_remoteip - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body> 17<div id="page-header"> 18<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 19<p class="apache">Apache HTTP Server Version 2.4</p> 20<img alt="" src="/images/feather.gif" /></div> 21<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 22<div id="path"> 23<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Modules</a></div> 24<div id="page-content"> 25<div id="preamble"><h1>Apache Module mod_remoteip</h1> 26<div class="toplang"> 27<p><span>Available Languages: </span><a href="/en/mod/mod_remoteip.html" title="English"> en </a> | 28<a href="/fr/mod/mod_remoteip.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 29</div> 30<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Replaces the original client IP address for the connection 31with the useragent IP address list presented by a proxies or a load balancer 32via the request headers. 33</td></tr> 34<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr> 35<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>remoteip_module</td></tr> 36<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_remoteip.c</td></tr></table> 37<h3>Summary</h3> 38 39 <p>This module is used to treat the useragent which initiated the 40 request as the originating useragent as identified by httpd for the 41 purposes of authorization and logging, even where that useragent is 42 behind a load balancer, front end server, or proxy server.</p> 43 44 <p>The module overrides the client IP address for the connection 45 with the useragent IP address reported in the request header configured 46 with the <code class="directive"><a href="#remoteipheader">RemoteIPHeader</a></code> directive.</p> 47 48 <p>Once replaced as instructed, this overridden useragent IP address is 49 then used for the <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code> 50 <code class="directive"><a href="/mod/mod_authz_core.html#require">Require ip</a></code> 51 feature, is reported by <code class="module"><a href="/mod/mod_status.html">mod_status</a></code>, and is recorded by 52 <code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code> <code>%a</code> and <code class="module"><a href="/mod/core.html">core</a></code> 53 <code>%a</code> format strings. The underlying client IP of the connection 54 is available in the <code>%{c}a</code> format string.</p> 55 56 <div class="warning">It is critical to only enable this behavior from 57 intermediate hosts (proxies, etc) which are trusted by this server, since 58 it is trivial for the remote useragent to impersonate another 59 useragent.</div> 60</div> 61<div id="quickview"><h3 class="directives">Directives</h3> 62<ul id="toc"> 63<li><img alt="" src="/images/down.gif" /> <a href="#remoteipheader">RemoteIPHeader</a></li> 64<li><img alt="" src="/images/down.gif" /> <a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></li> 65<li><img alt="" src="/images/down.gif" /> <a href="#remoteipinternalproxylist">RemoteIPInternalProxyList</a></li> 66<li><img alt="" src="/images/down.gif" /> <a href="#remoteipproxiesheader">RemoteIPProxiesHeader</a></li> 67<li><img alt="" src="/images/down.gif" /> <a href="#remoteiptrustedproxy">RemoteIPTrustedProxy</a></li> 68<li><img alt="" src="/images/down.gif" /> <a href="#remoteiptrustedproxylist">RemoteIPTrustedProxyList</a></li> 69</ul> 70<h3>Topics</h3> 71<ul id="topics"> 72<li><img alt="" src="/images/down.gif" /> <a href="#processing">Remote IP Processing</a></li> 73</ul><h3>See also</h3> 74<ul class="seealso"> 75<li><code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code></li> 76<li><code class="module"><a href="/mod/mod_status.html">mod_status</a></code></li> 77<li><code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code></li> 78</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 79<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 80<div class="section"> 81<h2><a name="processing" id="processing">Remote IP Processing</a></h2> 82 83 <p>Apache by default identifies the useragent with the connection's 84 client_ip value, and the connection remote_host and remote_logname are 85 derived from this value. These fields play a role in authentication, 86 authorization and logging and other purposes by other loadable 87 modules.</p> 88 89 <p>mod_remoteip overrides the client IP of the connection with the 90 advertised useragent IP as provided by a proxy or load balancer, for 91 the duration of the request. A load balancer might establish a long 92 lived keepalive connection with the server, and each request will 93 have the correct useragent IP, even though the underlying client IP 94 address of the load balancer remains unchanged.</p> 95 96 <p>When multiple, comma delimited useragent IP addresses are listed in the 97 header value, they are processed in Right-to-Left order. Processing 98 halts when a given useragent IP address is not trusted to present the 99 preceding IP address. The header field is updated to this remaining 100 list of unconfirmed IP addresses, or if all IP addresses were trusted, 101 this header is removed from the request altogether.</p> 102 103 <p>In overriding the client IP, the module stores the list of intermediate 104 hosts in a remoteip-proxy-ip-list note, which <code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code> 105 can record using the <code>%{remoteip-proxy-ip-list}n</code> format token. 106 If the administrator needs to store this as an additional header, this 107 same value can also be recording as a header using the directive 108 <code class="directive"><a href="#remoteipproxiesheader">RemoteIPProxiesHeader</a></code>.</p> 109 110 <div class="note"><h3>IPv4-over-IPv6 Mapped Addresses</h3> 111 As with httpd in general, any IPv4-over-IPv6 mapped addresses are recorded 112 in their IPv4 representation.</div> 113 114 <div class="note"><h3>Internal (Private) Addresses</h3> 115 All internal addresses 10/8, 172.16/12, 192.168/16, 169.254/16 and 127/8 116 blocks (and IPv6 addresses outside of the public 2000::/3 block) are only 117 evaluated by mod_remoteip when <code class="directive"><a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></code> 118 internal (intranet) proxies are registered.</div> 119 120</div> 121<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 122<div class="directive-section"><h2><a name="RemoteIPHeader" id="RemoteIPHeader">RemoteIPHeader</a> <a name="remoteipheader" id="remoteipheader">Directive</a></h2> 123<table class="directive"> 124<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare the header field which should be parsed for useragent IP addresses</td></tr> 125<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPHeader <var>header-field</var></code></td></tr> 126<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 127<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 128<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr> 129</table> 130 <p>The <code class="directive"><a href="#remoteipheader">RemoteIPHeader</a></code> directive triggers 131 <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> to treat the value of the specified 132 <var>header-field</var> header as the useragent IP address, or list 133 of intermediate useragent IP addresses, subject to further configuration 134 of the <code class="directive"><a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></code> and 135 <code class="directive"><a href="#remoteiptrustedproxy">RemoteIPTrustedProxy</a></code> directives. Unless these 136 other directives are used, <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> will trust all 137 hosts presenting a <code class="directive"><a href="#remoteipheader">RemoteIPHeader</a></code> IP value.</p> 138 139 <div class="example"><h3>Internal (Load Balancer) Example</h3><pre class="prettyprint lang-config">RemoteIPHeader X-Client-IP</pre> 140</div> 141 142 <div class="example"><h3>Proxy Example</h3><pre class="prettyprint lang-config">RemoteIPHeader X-Forwarded-For</pre> 143</div> 144 145</div> 146<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 147<div class="directive-section"><h2><a name="RemoteIPInternalProxy" id="RemoteIPInternalProxy">RemoteIPInternalProxy</a> <a name="remoteipinternalproxy" id="remoteipinternalproxy">Directive</a></h2> 148<table class="directive"> 149<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr> 150<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPInternalProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</code></td></tr> 151<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 152<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 153<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr> 154</table> 155 <p>The <code class="directive"><a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></code> directive adds one 156 or more addresses (or address blocks) to trust as presenting a valid 157 RemoteIPHeader value of the useragent IP. Unlike the 158 <code class="directive"><a href="#remoteiptrustedproxy">RemoteIPTrustedProxy</a></code> directive, any IP address 159 presented in this header, including private intranet addresses, are 160 trusted when passed from these proxies.</p> 161 162 <div class="example"><h3>Internal (Load Balancer) Example</h3><pre class="prettyprint lang-config">RemoteIPHeader X-Client-IP 163RemoteIPInternalProxy 10.0.2.0/24 164RemoteIPInternalProxy gateway.localdomain</pre> 165</div> 166 167</div> 168<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 169<div class="directive-section"><h2><a name="RemoteIPInternalProxyList" id="RemoteIPInternalProxyList">RemoteIPInternalProxyList</a> <a name="remoteipinternalproxylist" id="remoteipinternalproxylist">Directive</a></h2> 170<table class="directive"> 171<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr> 172<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPInternalProxyList <var>filename</var></code></td></tr> 173<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 174<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 175<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr> 176</table> 177 <p>The <code class="directive"><a href="#remoteipinternalproxylist">RemoteIPInternalProxyList</a></code> directive specifies 178 a file parsed at startup, and builds a list of addresses (or address blocks) 179 to trust as presenting a valid RemoteIPHeader value of the useragent IP.</p> 180 181 <p>The '<code>#</code>' hash character designates a comment line, otherwise 182 each whitespace or newline separated entry is processed identically to 183 the <code class="directive"><a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></code> directive.</p> 184 185 <div class="example"><h3>Internal (Load Balancer) Example</h3><pre class="prettyprint lang-config">RemoteIPHeader X-Client-IP 186RemoteIPInternalProxyList conf/trusted-proxies.lst</pre> 187</div> 188 189 <div class="example"><h3>conf/trusted-proxies.lst contents</h3><pre># Our internally trusted proxies; 19010.0.2.0/24 #Everyone in the testing group 191gateway.localdomain #The front end balancer</pre></div> 192 193</div> 194<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 195<div class="directive-section"><h2><a name="RemoteIPProxiesHeader" id="RemoteIPProxiesHeader">RemoteIPProxiesHeader</a> <a name="remoteipproxiesheader" id="remoteipproxiesheader">Directive</a></h2> 196<table class="directive"> 197<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare the header field which will record all intermediate IP addresses</td></tr> 198<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPProxiesHeader <var>HeaderFieldName</var></code></td></tr> 199<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 200<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 201<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr> 202</table> 203 <p>The <code class="directive"><a href="#remoteipproxiesheader">RemoteIPProxiesHeader</a></code> directive specifies 204 a header into which <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> will collect a list of 205 all of the intermediate client IP addresses trusted to resolve the useragent 206 IP of the request. Note that intermediate 207 <code class="directive"><a href="#remoteiptrustedproxy">RemoteIPTrustedProxy</a></code> addresses are recorded in 208 this header, while any intermediate 209 <code class="directive"><a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></code> addresses are discarded.</p> 210 211 <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">RemoteIPHeader X-Forwarded-For 212RemoteIPProxiesHeader X-Forwarded-By</pre> 213</div> 214 215</div> 216<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 217<div class="directive-section"><h2><a name="RemoteIPTrustedProxy" id="RemoteIPTrustedProxy">RemoteIPTrustedProxy</a> <a name="remoteiptrustedproxy" id="remoteiptrustedproxy">Directive</a></h2> 218<table class="directive"> 219<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr> 220<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPTrustedProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</code></td></tr> 221<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 222<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 223<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr> 224</table> 225 <p>The <code class="directive"><a href="#remoteiptrustedproxy">RemoteIPTrustedProxy</a></code> directive adds one 226 or more addresses (or address blocks) to trust as presenting a valid 227 RemoteIPHeader value of the useragent IP. Unlike the 228 <code class="directive"><a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></code> directive, any intranet 229 or private IP address reported by such proxies, including the 10/8, 172.16/12, 230 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public 231 2000::/3 block) are not trusted as the useragent IP, and are left in the 232 <code class="directive"><a href="#remoteipheader">RemoteIPHeader</a></code> header's value.</p> 233 234 <div class="example"><h3>Trusted (Load Balancer) Example</h3><pre class="prettyprint lang-config">RemoteIPHeader X-Forwarded-For 235RemoteIPTrustedProxy 10.0.2.16/28 236RemoteIPTrustedProxy proxy.example.com</pre> 237</div> 238 239</div> 240<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 241<div class="directive-section"><h2><a name="RemoteIPTrustedProxyList" id="RemoteIPTrustedProxyList">RemoteIPTrustedProxyList</a> <a name="remoteiptrustedproxylist" id="remoteiptrustedproxylist">Directive</a></h2> 242<table class="directive"> 243<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr> 244<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPTrustedProxyList <var>filename</var></code></td></tr> 245<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 246<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 247<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr> 248</table> 249 <p>The <code class="directive"><a href="#remoteiptrustedproxylist">RemoteIPTrustedProxyList</a></code> directive specifies 250 a file parsed at startup, and builds a list of addresses (or address blocks) 251 to trust as presenting a valid RemoteIPHeader value of the useragent IP.</p> 252 253 <p>The '<code>#</code>' hash character designates a comment line, otherwise 254 each whitespace or newline separated entry is processed identically to 255 the <code class="directive"><a href="#remoteiptrustedproxy">RemoteIPTrustedProxy</a></code> directive.</p> 256 257 <div class="example"><h3>Trusted (Load Balancer) Example</h3><pre class="prettyprint lang-config">RemoteIPHeader X-Forwarded-For 258RemoteIPTrustedProxyList conf/trusted-proxies.lst</pre> 259</div> 260 261 <div class="example"><h3>conf/trusted-proxies.lst contents</h3><p><code> 262 # Identified external proxies;<br /> 263 192.0.2.16/28 #wap phone group of proxies<br /> 264 proxy.isp.example.com #some well known ISP 265 </code></p></div> 266 267</div> 268</div> 269<div class="bottomlang"> 270<p><span>Available Languages: </span><a href="/en/mod/mod_remoteip.html" title="English"> en </a> | 271<a href="/fr/mod/mod_remoteip.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 272</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 273<script type="text/javascript"><!--//--><![CDATA[//><!-- 274var comments_shortname = 'httpd'; 275var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html'; 276(function(w, d) { 277 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 278 d.write('<div id="comments_thread"><\/div>'); 279 var s = d.createElement('script'); 280 s.type = 'text/javascript'; 281 s.async = true; 282 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 283 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 284 } 285 else { 286 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 287 } 288})(window, document); 289//--><!]]></script></div><div id="footer"> 290<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 291<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 292if (typeof(prettyPrint) !== 'undefined') { 293 prettyPrint(); 294} 295//--><!]]></script> 296</body></html>
