Apache, Akamai, and True-Client-IP

You’re running a site behind Akamai, but can’t see the real client’s IP address, only that of your load balancer and/or Akamai’s IP addresses. Therefore you can’t act on it, ban IP’s….etc.

Akamai does pass the true IP address of clients, but not through the standard X-Forwarded-For header. It uses one named True-Client-IP. Apache doesn’t understand True-Client-IP so it doesn’t pass this along internally to logging and other modules like PHP.

There exists an Apache module named mod_remoteip which was introduced in Apache 2.4. A lot of sites don’t run Apache 2.4 yet as of the time of this article, but you can get a backported mod_remoteip module [link] thanks to Brane F Gracnar which runs with Apache 2.2. This module will take the value of True-Client-IP (or any other custom header) and overwrite REMOTE_ADDR internally, thereby allowing Apache to work with the real IP address of the client.

You can compile and install the module with

apxs -i -a -c mod_remoteip.c

After that, put this into your Apache vhost

RemoteIPHeader True-Client-IP

That’s all there is to it! The real clients IP address will now show in logs and in Apache server-status.