Apache doesn't log remoteIP when RemoteIPHeader X-Forwarded-For is present

Solution 1:

Restore %a to that format if you're going to use mod_remoteip.

In bugzilla, mod_remoteip fills in %a while it removes from %{X-Forwarded-For}i. So in a simple case with one trusted proxy, %a will hold the value used to see in X-Forwarded-For because of mod_remoteip

Solution 2:

Proxy Layer (Nginx)

proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Real-IP       $remote_addr;

Backend Layer (Apache)

# Log format config
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "logs/access_log" common env=forwarded

# Header config
RemoteIPHeader X-Real-IP
RemoteIPHeader X-Client-IP
RemoteIPInternalProxy 192.168.10.10 192.168.10.11

Description:

proxy_set_header - directive sets headers that nginx sends to backend; so in this example We sends two variables (to headers): X-Forwarded-For and X-Real-IP

X-Forwarded-For - on the proxy side it must be set that this header should be passed to backends and accessible from their layer

X-Real-IP - it does not affect the required variables on the web page but we leave it enabled so that the Apache server places the client's address in the logs (you also need to set the log format itself):

### X-Real-IP enabled
172.217.20.206 - - [03/Jun/2017:11:12:11 +0200] "GET /tls-check.php?9832 HTTP/1.0" 200 1409
### X-Real-IP disabled
172.16.21.11 - - [03/Jun/2017:15:12:49 +0200] "GET /tls-check.php?13266 HTTP/1.0" 200 1448

Curl

:~$ curl -H Cache-Control: no-cache -ks https://example.com/tls-check.php?${RANDOM} | grep "HTTP_X_FORWARDED_FOR\|HTTP_X_REAL_IP\|SERVER_ADDR\|REMOTE_ADDR"
[HTTP_X_FORWARDED_FOR] => 172.217.20.206
[HTTP_X_REAL_IP] => 172.217.20.206
[SERVER_ADDR] => 192.168.10.100
[REMOTE_ADDR] => 192.168.10.10

tls_check.php

<?php

echo '<pre>';
print_r($_SERVER);
echo '</pre>';
exit;

?>