Back to Troubleshooting

Restore Visitor IP Address | NOC.org Support

When your site is behind the NOC CDN or WAF, all HTTP/HTTPS traffic flows through NOC's edge servers before reaching your origin. As a result, your web server sees the NOC edge server's IP address as the connecting client, not the real visitor's IP. This affects server logs, analytics, rate limiting, access control, and any application logic that relies on the client IP address.

How the IP Gets Masked

In a normal setup without a CDN or reverse proxy, your web server sees the visitor's IP directly in the TCP connection. When NOC sits in front of your server, the flow changes:

  1. The visitor connects to a NOC edge server.
  2. The NOC edge server processes the request (WAF filtering, cache check).
  3. If the request needs to reach your origin, the edge server opens a new connection to your server.
  4. Your server sees the NOC edge server's IP as the source of the connection.

To preserve the real visitor's IP, NOC adds it to HTTP headers before forwarding the request to your origin. Your web server needs to be configured to read the visitor IP from these headers instead of the TCP connection.

X-Forwarded-For Header

NOC includes the original visitor's IP address in the X-Forwarded-For (XFF) header. This is the standard header used by reverse proxies and CDNs to pass the real client IP: 

X-Forwarded-For: 203.0.113.50

If the request passed through multiple proxies, the header contains a comma-separated list with the original visitor IP first: 

X-Forwarded-For: 203.0.113.50, 198.51.100.1

NOC also sends the visitor IP in the X-Real-IP header, which always contains a single IP address (the original visitor's IP).

Configuring Apache

Apache uses mod_remoteip to replace the connection IP with the IP from the X-Forwarded-For header. This module is included with Apache 2.4+.

Enable the module and configure it: 

# Enable mod_remoteip
a2enmod remoteip

# Add to your Apache config or virtual host:
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 198.51.100.0/24
RemoteIPTrustedProxy 203.0.113.0/24

Replace the IP ranges above with the actual NOC edge IP ranges from your dashboard. The RemoteIPTrustedProxy directive ensures Apache only trusts the XFF header when the connection comes from a known NOC edge IP.

Update your log format to use %a instead of %h to log the restored visitor IP: 

LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Restart Apache to apply the changes: 

systemctl restart apache2

Configuring Nginx

Nginx uses the ngx_http_realip_module to restore the visitor IP. This module is included in most Nginx installations.

Add the following to your Nginx server block or http block: 

# Trust NOC edge IP ranges
set_real_ip_from 198.51.100.0/24;
set_real_ip_from 203.0.113.0/24;

# Use X-Forwarded-For to get the real IP
real_ip_header X-Forwarded-For;
real_ip_recursive on;

Replace the IP ranges with the actual NOC edge IP ranges. The real_ip_recursive on directive tells Nginx to use the last non-trusted IP in the XFF chain, which is the real visitor IP.

After adding the configuration, reload Nginx: 

systemctl reload nginx

Configuring Application Code

If your application reads the client IP directly (e.g., for rate limiting, geolocation, or access logs), update it to check the XFF header first:

PHP

function getVisitorIP() {
    if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
        return trim($ips[0]);
    }
    if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
        return $_SERVER['HTTP_X_REAL_IP'];
    }
    return $_SERVER['REMOTE_ADDR'];
}

Node.js (Express)

// Enable trust proxy to use X-Forwarded-For
app.set('trust proxy', true);

// req.ip will now return the real visitor IP
app.get('/', (req, res) => {
    console.log('Visitor IP:', req.ip);
});

Python (Django)

# In middleware or view
def get_visitor_ip(request):
    x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
    if x_forwarded_for:
        return x_forwarded_for.split(',')[0].strip()
    return request.META.get('REMOTE_ADDR')

Verifying the Configuration

After configuring your web server, verify that the real visitor IP is being logged correctly:

  1. Visit your site from a known IP address.
  2. Check your web server access logs. You should see your real IP, not a NOC edge IP.
  3. If your application displays the client IP (e.g., a "What is my IP" page), verify it shows the correct visitor IP.

Security Considerations

The X-Forwarded-For header can be spoofed by clients if your server is directly exposed to the internet. Only trust this header when the connection comes from a known, trusted proxy (NOC edge IPs). The RemoteIPTrustedProxy (Apache) and set_real_ip_from (Nginx) directives enforce this by only accepting the header from specified IP ranges.

Keep your trusted IP list up to date. If NOC adds new edge IP ranges, update your web server configuration to include them. Check the NOC dashboard periodically for any changes to the edge IP ranges.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started