THE.Hosting - rent servers

Site protection: restore original visitor IPs

10.04.2025
19:26

To see the real IP addresses of site visitors, configure X-Forwarded-For decoding for networks from the list that was used when configuring the firewall. Below are examples of such settings for popular web servers.

Apache web server up to version 2.4

Change file /etc/apache2/mods-enabled/rpaf.conf, add following lines:

<IfModule rpaf_module>
  RPAFenable On
  # When enabled, take the incoming X-Host header
  # and update the virtualhost settings accordingly:
  RPAFsethostname On
  # Define which IP's are your frontend proxies that sends
  # the correct X-Forwarded-For headers:
  RPAFproxy_ips 77.220.207.0/24 45.10.240.0/24 45.10.241.0/24 45.10.242.0/24 186.2.160.0/24 186.2.164.0/24 186.2.167.0/24 186.2.168.0/24
  # Change the header name to parse from the default
  # X-Forwarded-For to something of your choice:
  # RPAFheader DDG-Connecting-IP
</IfModule>

Apache web server version 2.4 and above

  1. Deactivate mod_rpaf module by command a2dismod rpaf
  2. Activate mod_remoteip module by command a2enmod mod_remoteip
  3. Restart Apache service by command: systemctl restart apache2
  4. Create or change file /etc/apache2/conf-available/remoteip.conf, add following lines:
<IfModule remoteip_module>
  # Take the incoming X-Host header and
  # update the virtualhost settings accordingly:
  RemoteIPHeader X-Forwarded-For
  # Define which IP's are your frontend proxies that sends
  # the correct X-Forwarded-For headers:
  RemoteIPTrustedProxy 77.220.207.0/24 45.10.240.0/24 45.10.241.0/24 45.10.242.0/24 186.2.160.0/24 186.2.164.0/24 186.2.167.0/24 186.2.168.0/24
</IfModule>

Nginx web server

Add following lines to file /etc/nginx/nginx.conf in the section http:

set_real_ip_from 77.220.207.0/24;
set_real_ip_from 45.10.240.0/24;
set_real_ip_from 45.10.241.0/24;
set_real_ip_from 45.10.242.0/24;
set_real_ip_from 186.2.160.0/24;
set_real_ip_from 186.2.164.0/24;
set_real_ip_from 186.2.167.0/24;
set_real_ip_from 186.2.168.0/24;

The contents of X-Forwarded-For can be forged, but the last address in the chain will always be the real IP from which the request came to our network. This address is also transmitted in the DDG-Connecting-IP header.

The X-Real-IP header is proxied unchanged and may contain false information.
Do not use it for security-related functions.

Content:
15% discount on new VPS
Hurry up to order a server in any location
Choose a VPS

Other articles

31.01.2023
927
Knowledge base / Site protection
Site protection: block/allow IP lists
31.01.2023
925
Knowledge base / Site protection
Site protection: сaching and CDN
31.01.2023
1 052
Knowledge base / Site protection
Site protection: firewall settings