How do I see the real IP address of a connection through a NodeBalancer?

Linode Staff

When using a NodeBalancer what's the best way to track where the connections actually come from? Is it possible to get the real IP address information once the connection reaches one of the Linodes behind the NodeBalancer?

4 Replies

When using a NodeBalancer in HTTP or HTTPS mode the Apache X-Forwarded-For header is added in for each connection with the original IP address for the connection. In TCP mode the packets aren't altered in any way, so there's no additional information added.

You can use the X-Forwarded-For header in a number of different ways. With Apache you could either use mod_rpaf or mod_remoteip to make sure the info provided by X-Forwarded-For is treated as the real IP address of the connection. With mod_remoteip installed for example, you can include the following directive in your site's configuration:

RemoteIPHeader X-Forwarded-For

For Nginx you can use ngx_http_realip_module and include these two lines in your Nginx configuration:

real_ip_header X-Forwarded-For;

The private IP address range mentioned there is the address range that we use for communications between a NodeBalancer and a Linode.


Sorry to jump in here, I was just wondering if I could clarify the following statement?

… In TCP mode the packets aren't altered in any way, so there's no additional information added.

Do you mean the original packet from the client's browser, or the packet originating from the NodeBalancer?

I.e. will a service running via TCP see the client's original IP, or the NodeBalancer's?

Also, you said that you use the range for communication to backend Linodes. Doesn't this mean you're limited to 255 NodeBalancers per data-centre?

I would like some clarity on this.

Hi @0xq - When a NodeBalancer is in TCP mode the original packet from the client's browser or computer won't be altered by the NodeBalancer and will be passed along to the back-end Linodes exactly as it is. However, the source IP address of the packet will be shown as the NodeBalancer as the NodeBalancer is sending the packet itself. That being said, in TCP mode you can enable Proxy Protocol to add a header containing client information:

There's more info on Proxy Protocol here:

If you'd like a specific kind of load-balancing setup or you'd like to have full control over the settings of a load balancer I'd recommend setting up HAProxy on a third Linode:


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct