The IPs in my weblogs have changed

Created at:
Avatar
Updated

An issue that often comes up for users of any full proxy-based product is that the original client IP address is often lost to the application or web server. This is because in a full proxy system there are two connections; one between the client and the proxy, and a second one between the proxy and the web server. Essentially, the web server sees the connection as coming from the proxy (Incapsula), not the client. 

Needless to say, this can cause problems if you want to know the IP address of the real client for logging, for troubleshooting, for tracking or performing IP address specific tasks such as geocoding.

Incapsula has developed solutions for common applications and development frameworks that can be used to restore the original client IPs. Visit this section for the list of available extensions

 

If you did not find an extension that matches your environment you can easily extract the original client IPs yourself. Incapsula inserts the original client IP address into two HTTP headers so it can be retrieved by the server for processing. The first is the standard HTTP header "X-Forwarded-For" and the second is an Incapsula header "Incap-Client-IP".

For example, configuring Apache to use the X-Forwarded-For instead of (or in conjunction with) the normal HTTP client header is pretty simple. Open your configuration file (usually in /etc/httpd/conf/) and find the section describing the log formats. Then add the following to the log format you want to modify, or create a new one that includes this to extract the X-Forwarded-For value:

    %{X-Forwarded-For}i

That's it. If you don't care about the proxy IP address, you can simply replace the traditional %h in the common log format with the new value, or you can add it as an additional header. Restart or reload Apache, and you're ready to go.

Was this article helpful?
8 out of 8 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    geekguy

    What do I do if I cannot edit the httpd config? Are there alternatives such as htaccess? If so, what are the instructions?

    %{X-Forwarded-For}i

  • Avatar
    Alex Corral

    I think %{HTTP:X_FORWARDED_FOR} will work, we are testing it now so

  • Avatar
    echai

    @rgsx, make sure you visit our extensions section http://support.incapsula.com/forums/20158871-extensions

    There are solutions for common applications and development frameworks.

    Also, in addition to the X-Forwarded-For header, Incapsula proxies add a new header named Incap-Client-IP with the IP address of the client connecting to your web site. It is easier to parse the IP in this header because it is guaranteed that it contains only one IP while the X-Forwarded-For header might contain several IPs.

    I will update our documentation accordingly.

     

  • Avatar
    Martin L

    Your main competitor provides their proxy IP to make sure noone spoofs the header. Is it safe for me to trust only 199.83.128.0/21 ?

  • Avatar
    Martin L

    Nevermind, I found them in 'how to restrict direct access to your site'. For lighttpd the config would be:

    $HTTP["remoteip"] == "199.83.128.0/21" {

    extforward.forwarder = ( "all" => "trust" )

    extforward.headers = ("Incap-Client-IP")

    }

    $HTTP["remoteip"] == "149.126.72.0/21" {

    extforward.forwarder = ( "all" => "trust" )

    extforward.headers = ("Incap-Client-IP")

    }

    $HTTP["remoteip"] == "194.90.228.56/29" {

    extforward.forwarder = ( "all" => "trust" )

    extforward.headers = ("Incap-Client-IP")

    }

    $HTTP["remoteip"] == "46.51.174.78" {

    extforward.forwarder = ( "all" => "trust" )

    extforward.headers = ("Incap-Client-IP")

    }

    $HTTP["remoteip"] == "184.73.240.163" {

    extforward.forwarder = ( "all" => "trust" )

    extforward.headers = ("Incap-Client-IP")

    }

    $HTTP["remoteip"] == "122.248.247.129" {

    extforward.forwarder = ( "all" => "trust" )

    extforward.headers = ("Incap-Client-IP")

    }

    $HTTP["remoteip"] == "173.203.97.38" {

    extforward.forwarder = ( "all" => "trust" )

    extforward.headers = ("Incap-Client-IP")

    }

    $HTTP["remoteip"] == "79.125.118.62" {

    extforward.forwarder = ( "all" => "trust" )

    extforward.headers = ("Incap-Client-IP")

    }

    $HTTP["remoteip"] == "176.32.89.123" {

    extforward.forwarder = ( "all" => "trust" )

    extforward.headers = ("Incap-Client-IP")

    }

  • Avatar
    Tejinder Singh

    I think when we use our site on different servers using cdn, there will be different ip address for every server. Am i right?

    I want to use cdn service for http://idioms.in

  • Avatar
    Rivollet

    Hi,
    As of today (4 years later), I'm unable to find the Incapt-Client-Ip field in the header. This thread is still up to date ? How can we have the Incap-Client-ip field ?

    Edited by Rivollet
Powered by Zendesk