How to retain the source IP?

Question

Network Diagram

Hi Everyone,

Could anyone help me with any solution on this? here's the setup:

• Client : 1.1.1.1
• Public Server: 2.2.2.2 (Digital Ocean)
• pfSense : 3.3.3.3
• WEBSERVER : 4.4.4.4

Public Server(Linux) is connected to pfSense via IPSEC VPN & StrongSwan(Linux).

Setup:

Public server has an IPtables which port forwards HTTP(S) request to Webserver

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 4.4.4.4:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 4.4.4.4:443

Supposed client 1.1.1.1 is accessing Public Server via HTTP which forwards request to WEBSERVER 4.4.4.4. Based on apache logs, I'm getting the Public Server IP which is 2.2.2.2, my objective is to get the client IP 1.1.1.1 instead?

Any suggestions? I've also tried using Haproxy but getting the same result. is there anyway I can get the client IP via IPsec VPN?

Many Thanks!

Answer 1

The NAT or VPN setup should not affect the logging of client's IP address.

The public server (Apache reverse-proxy or Haproxy in your question) would pass on the original client's IP using the X-Forwarded-For header.
See: https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers as an example for Apache

If using Apache, you may also need to install/enable mod_remoteip
http://httpd.apache.org/docs/current/mod/mod_remoteip.html

and in your logformat replace the Remote hostname header%h with Client IP address of the request %a.
See: mod_log_config.html#formats