XF 2.1 Xenforo is logging all user's IP addresses as the load balancer's private IP address

[hutt132]

Apache Version: Apache/2.4.38 (Ubuntu)
PHP Version: 7.2.15

I'm hosting the website on an AWS server behind a load balancer. The website is logging every user's IP address as the private IP address of the load balancer instead of the user's public IP address.

In admin.php?tools/phpinfo on my site, the $_SERVER['REMOTE_ADDR'] variable is showing up as 172.30.0.200
The $_SERVER['HTTP_X_FORWARDED_FOR'] variable has my local machines public IP address.

To try to solve this, I edited the root index.php file to set $_SERVER['REMOTE_ADDR'] to $_SERVER['HTTP_X_FORWARDED_FOR']

if ($_SERVER['HTTP_X_FORWARDED_FOR']!==null && $_SERVER['HTTP_X_FORWARDED_FOR']!=='') {
  $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

However, now the website logs both the user's public IP AND the load balancer's private IP address at the same time ONLY when the user first logs into their account.
Once they are logged in, the website will continue to only log the load balancer's IP. The user's public IP won't be logged again until the user logs out and logs back in, where it will again log both IPs.

This is very odd behavior why it's logging both IPs only on logon even with the variable set in index.php.

 

[Paul B]

Try replacing the code with this:

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

Does that change anything?

 

[Deebs]

If you are using the AWS Classic Load Balancer it is for more simple and better to enable support for proxy protocol and then in turn for apache. Bear in mind if you run multiple services behind the load balancer as they will break if you do not enable proxy protocol in them as well.

 

[hutt132]

Try replacing the code with this:

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
}

Does that change anything?

Same behavior with this as well.

 

[eva2000]

proper way for apache origins behind a load balance is to properly configure and setup mod_remoteip to pass visitors real ip back to apache see https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

 

[hutt132]

proper way for apache origins behind a load balance is to properly configure and setup mod_remoteip to pass visitors real ip back to apache see https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html

This ended up resolving the issue. I followed this guide to set it up:
https://www.digitalocean.com/commun...ip-on-apache-server-used-behind-load-balancer

Thank you!

 

[eva2000]

This ended up resolving the issue. I followed this guide to set it up:
https://www.digitalocean.com/commun...ip-on-apache-server-used-behind-load-balancer

Thank you!

You're welcome

 

[alex_s]

I know this is an old thread, but it seems like the best place to post this, since it is where I got my info about substituting the XFF for the REMOTE_IP.

One thing to keep in mind... XFF is not limited to being a single IP. By spec it can be a comma separated list of IPs. As such, when I switched over to using Cloudflare, I had some problems with IPs not being right. And worse, all the hCaptcha's were giving me invalid remoteip errrors in the system log (and apparently breaking for people constantly saying they entered the captcha incorrectly).

My solution... similar to what is mentioned here... but properly account for the fact that the XFF header is comma separated... the first IP is the original client IP.

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
    $_SERVER['REMOTE_ADDR'] = trim(explode(",", $_SERVER['HTTP_X_FORWARDED_FOR'])[0]);
}

Hope that helps anyone else... this will work whether or not you are using multiple reverse proxies. In my case, I had my main RP (which is a docker container serving multiple websites that reside on other containers), but then when adding Cloudflare on top of that, I effectively had multiple reverse proxies, and the XFF became two IP addresses (the first being the true client IP, and the second being Cloudflare).