After you add your website to Web Application Firewall (WAF), WAF filters incoming requests and forwards normal traffic to your origin server. Because WAF acts as an intermediate proxy, the origin server receives the WAF back-to-origin IP rather than the client's real IP. This topic explains how to configure your web server or Kubernetes container to extract the client's originating IP address from the X-Forwarded-For header.
Jump to your server type: NGINX | IIS 6 | IIS 7 | Apache | Tomcat | Kubernetes
How it works
WAF inserts the client IP into the X-Forwarded-For request header before forwarding the request to your origin server:
X-Forwarded-For: <client IP>When requests pass through multiple proxies — such as WAF, Anti-DDoS Pro or Anti-DDoS Premium, and Alibaba Cloud CDN — each proxy appends its address. The header records a comma-separated chain:
X-Forwarded-For: <client IP>, <proxy 1 IP>, <proxy 2 IP>, <proxy 3 IP>, ...The leftmost value is always the originating client IP.
Prerequisites
Before you begin, make sure you have:
A website added to WAF
The WAF back-to-origin CIDR blocks for your region. See Allow access from the back-to-origin CIDR blocks of WAF
Backups of your origin server environment, including Elastic Compute Service (ECS) instance snapshots and web server configuration files
Configure NGINX servers
NGINX uses the http_realip_module to read the real client IP from the X-Forwarded-For header.
Step 1: Install http_realip_module
Check whether the module is already installed:
nginx -V | grep http_realip_moduleIf the module appears in the output, skip to Step 2. If not, recompile NGINX with the module.
The module is not included when NGINX is installed using a quick installation package.
wget http://nginx.org/download/nginx-1.12.2.tar.gz
tar zxvf nginx-1.12.2.tar.gz
cd nginx-1.12.2
./configure --user=www --group=www --prefix=/alidata/server/nginx \
--with-http_stub_status_module \
--without-http-cache \
--with-http_ssl_module \
--with-http_realip_module
make
make install
kill -USR2 `cat /alidata/server/nginx/logs/nginx.pid`
kill -QUIT `cat /alidata/server/nginx/logs/nginx.pid.oldbin`Step 2: Update the server configuration
Open
default.conf.Add the following directives inside the
location / {}block. Replace<ip_range1>through<ip_rangex>with the WAF back-to-origin CIDR blocks. Enter one CIDR block per line.set_real_ip_from <ip_range1>; set_real_ip_from <ip_range2>; ... set_real_ip_from <ip_rangex>; real_ip_header X-Forwarded-For;Example with three CIDR blocks:
set_real_ip_from 10.0.0.1; set_real_ip_from 10.0.0.2; set_real_ip_from 10.0.0.3; real_ip_header X-Forwarded-For;
Step 3: Update the log format
Open
nginx.confand find thelog_formatdirective in thehttpblock.Replace
$remote_addrwith$http_x_forwarded_forso logs record the client's originating IP.log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent"';
Step 4: Reload NGINX
nginx -s reloadConfigure IIS 6 servers
IIS 6 uses the F5XForwardedFor module to retrieve the client's originating IP.
Copy
F5XForwardedFor.dllfrom thex86\Releaseorx64\Releasedirectory to a custom directory, such asC:\ISAPIFilters\x86orC:\ISAPIFilters\x64.- Make sure the Internet Information Services (IIS) process has read and write permissions on the directory. - If the file is not in the release directory, download F5XForwardedFor.dll and copy it to the directory.
Open IIS Manager, right-click your website, and select Properties.
On the ISAPI Filters tab, click Add and set the following parameters (example for a 32-bit OS):
Parameter Value Filter name x_forwarded_for_x86Executable Full path to F5XForwardedFor.dll, for exampleC:\ISAPIFilters\x86\F5XForwardedFor.dllClick OK, then restart the IIS 6 server for the changes to take effect.
Configure IIS 7 servers
IIS 7 uses the F5XForwardedFor module to retrieve the client's originating IP.
Copy
F5XFFHttpModule.dllandF5XFFHttpModule.inifrom thex86\Releaseorx64\Releasedirectory to a custom directory, such asC:\x_forwarded_for\x86orC:\x_forwarded_for\x64.- Make sure the IIS process has read and write permissions on the directory. - If the files are not in the release directory, download F5XForwardedFor and copy them to the directory.
In IIS Manager, double-click Modules.
In the Actions panel, click Configure Local Module, then click Register.
Register the module with the following parameters (example for a 32-bit OS):
Parameter Value Name x_forwarded_for_x86Path Full path to F5XFFHttpModule.dll, for exampleC:\x_forwarded_for\x86\F5XFFHttpModule.dllIn the Configure Local Module dialog box, select the newly registered module and click OK.
In the ISAPI and CGI Restrictions section, add the registered DLL and set Restriction to Allow.
Restart the IIS 7 server for the changes to take effect.
Configure Apache servers
Apache on Windows
Apache 2.4 and later includes mod_remoteip.so, which reads the real client IP from the X-Forwarded-For header.
Create
conf/extra/httpd-remoteip.conf.Using a separate configuration file reduces direct edits to
httpd.confand avoids service disruptions from misconfigurations.Add the following content to
httpd-remoteip.conf. Replace<ip_range1>through<ip_rangex>with the WAF back-to-origin CIDR blocks, separated by spaces.# Load the mod_remoteip.so module. LoadModule remoteip_module modules/mod_remoteip.so # Configure the RemoteIPHeader header. RemoteIPHeader X-Forwarded-For # Specify the back-to-origin CIDR blocks. RemoteIPInternalProxy <ip_range1> <ip_range2> ... <ip_rangex>Example with three CIDR blocks:
RemoteIPInternalProxy 10.0.0.1 10.0.0.2 10.0.0.3Add the following line to
conf/httpd.confto load the new configuration file:Include conf/extra/httpd-remoteip.confUpdate the log format in
httpd.confto use%a, which records the remote IP resolved bymod_remoteip:LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%a %l %u %t \"%r\" %>s %b" commonRestart Apache for the changes to take effect.
Apache on Linux
Apache 2.4 and later: remoteip_module is built in. Follow the same steps as for Apache on Windows.
Apache earlier than 2.4: Install the third-party mod_rpaf module.
Install
mod_rpaf:wget https://github.com/gnif/mod_rpaf/archive/v0.6.0.tar.gz tar zxvf mod_rpaf-0.6.tar.gz cd mod_rpaf-0.6 /alidata/server/httpd/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.cAppend the following to
/alidata/server/httpd/conf/httpd.conf. ForRPAFproxy_ips, use the mod_rpaf module IPs from your Apache logs — not the WAF proxy server IPs. In most cases, two IP addresses are listed.LoadModule rpaf_module modules/mod_rpaf-2.0.so RPAFenable On RPAFsethostname On RPAFproxy_ips 10.XX.XX.65 10.XX.XX.131 RPAFheader X-Forwarded-ForRestart Apache:
/alidata/server/httpd/bin/apachectl restart
For details on Apache mod_remoteip, see the Apache module documentation.
Configure Tomcat servers
Tomcat reads the client IP from the X-Forwarded-For header through its AccessLogValve.
Open
tomcat/conf/server.xml.Update the
AccessLogValveentry to log%{X-FORWARDED-FOR}iinstead of the default remote host:<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%{X-FORWARDED-FOR}i %l %u %t %r %s %b %D %q %{User-Agent}i %T" resolveHosts="false"/>
Configure Kubernetes containers
When your origin server runs in Kubernetes, the Ingress controller stores the originating client IP in X-Original-Forwarded-For and WAF's back-to-origin IPs in X-Forwarded-For. To restore the originating IP to X-Forwarded-For, update the Ingress controller configuration.
Edit the
kube-system/nginx-configurationConfigMap:kubectl -n kube-system edit cm nginx-configurationAdd the following keys:
compute-full-forwarded-for: "true" forwarded-for-header: "X-Forwarded-For" use-forwarded-headers: "true"Save the file. The changes take effect immediately — no restart required.
Update your application to read the originating client IP from the
X-Original-Forwarded-Forheader instead ofX-Forwarded-For.