Set REMOTE_ADDR to X-Forwarded-For in apache
In addition to mod_rpaf as mentioned before, it appears that mod_extract_forwarded will perform this function as well.
One advantage to mod_extract_forwarded
is that it is available from EPEL for RHEL/CentOS servers whereas mod_rpaf
is not.
It appears that neither of these two modules allow you to whitelist an entire subnet of proxy servers, which is why the CloudFlare folks created their own plugin: mod_cloudflare which, it should be noted, is not a general-purpose tool like the other two; it contains a hardcoded list of CloudFlare subnets.
Note that the X-Forwarded-For header may contain a list of IP addresses if the request has traversed more than one proxy. In this case, you usually want the leftmost IP. You can extract this with a SetEnvIf:
SetEnvIf X-Forwarded-For "^(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+).*" XFFCLIENTIP=$1
Note the use of $1 to set the XFFCLIENTIP environment variable to hold the contents of the first group in the regex (in the parentheses).
Then you can use the value of the environment variable to set headers (or use it in Apache log formats so that the logs contain the actual client IP).
Currently apache module mod_remoteip is the recommended way to do this; rpaf hasn't been reliably maintained, and can cause problems.
You can use mod_rpaf for that. http://stderr.net/apache/rpaf/