How do I see the real IP address of a connection through a NodeBalancer?
When using a NodeBalancer what's the best way to track where the connections actually come from? Is it possible to get the real IP address information once the connection reaches one of the Linodes behind the NodeBalancer?
When using a NodeBalancer in HTTP or HTTPS mode the Apache X-Forwarded-For header is added in for each connection with the original IP address for the connection. In TCP mode the packets aren't altered in any way, so there's no additional information added.
You can use the X-Forwarded-For header in a number of different ways. With Apache you could either use mod_rpaf or mod_remoteip to make sure the info provided by X-Forwarded-For is treated as the real IP address of the connection. With mod_remoteip installed for example, you can include the following directive in your site's configuration:
For Nginx you can use ngx_http_realip_module and include these two lines in your Nginx configuration:
The private IP address range mentioned there is the address range that we use for communications between a NodeBalancer and a Linode.
Sorry to jump in here, I was just wondering if I could clarify the following statement?
… In TCP mode the packets aren't altered in any way, so there's no additional information added.
Do you mean the original packet from the client's browser, or the packet originating from the NodeBalancer?
I.e. will a service running via TCP see the client's original IP, or the NodeBalancer's?
Also, you said that you use the range 192.168.255.0/24 for communication to backend Linodes. Doesn't this mean you're limited to 255 NodeBalancers per data-centre?
Hi @0xq - When a NodeBalancer is in TCP mode the original packet from the client's browser or computer won't be altered by the NodeBalancer and will be passed along to the back-end Linodes exactly as it is. However, the source IP address of the packet will be shown as the NodeBalancer as the NodeBalancer is sending the packet itself. That being said, in TCP mode you can enable Proxy Protocol to add a header containing client information:
There's more info on Proxy Protocol here:
If you'd like a specific kind of load-balancing setup or you'd like to have full control over the settings of a load balancer I'd recommend setting up HAProxy on a third Linode: