Understand how DigitalOcean Load Balancer X-Forwarded-For works, why it matters, and how to log real client IPs correctly with Nginx or Apache. Our DigitalOcean Live Support Team is always here to help you.
If you’ve ever opened your logs and wondered why every single visitor seems to come from the same IP, you’re not imagining it. Once you place your app behind a DigitalOcean Load Balancer, the traffic path changes. Instead of your server receiving requests directly, everything flows through the load balancer first. That’s exactly why the digitalocean load balancer x-forwarded-for header becomes one of the most important things to understand.
Yet many developers still overlook it, and that leads to broken analytics, faulty rate limits, and security blind spots. So today, let’s break it down clearly, with real examples and the exact server config you need.
Overview
Why the X-Forwarded-For Header Matters
Your application needs the original visitor’s IP. Not the load balancer’s. Not a proxy’s. The real one.
That’s where the digitalocean load balancer x-forwarded-for header steps in. The load balancer automatically adds this header to every request. And as a result, your backend can still see the true client IP, even though traffic passes through multiple hops.
But here’s the catch, if you don’t configure your server to read it, your logs will stay wrong forever.
How DigitalOcean Handles the Header
DigitalOcean does two things:
- If the header exists, it appends the client IP to the left of the list.
- If the header doesn’t exist, it creates it.
For example:
X-Forwarded-For: 103.22.10.8And if there’s already a value:
X-Forwarded-For: 103.22.10.8, 145.66.208.14This chain tells you exactly where the request travelled. And because the digitalocean load balancer x-forwarded-for header is automatically preserved, you don’t need any customization on the load balancer side.
How to Log the Real Client IP in Nginx
This is the step most developers miss. You must update your config to use the header.
Add this inside your server block:
real_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;And when proxying:
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://your_backend;
}After that, your logs will show real user IPs, not the load balancer’s.
Get Real Client IPs Now
Apache Setup for Correct Client IP Logging
Apache needs its own module enabled:
a2enmod remoteipThen update:
RemoteIPHeader X-Forwarded-ForReplace your log format with:
LogFormat "%a %l %u %t \"%r\" %>s %b" combinedRestart Apache, and now every IP is accurate again.
Security and Rate Limiting Based on Real IPs
Once your app reads the true IP, you can:
- block attackers
- set per-IP rate limits
- track suspicious patterns
- analyze traffic by country
All of this depends on the digitalocean load balancer x-forwarded-for header working correctly.
Conclusion
Even though DigitalOcean doesn’t let you customize this header, understanding how it works gives you full control over logging, analytics, and traffic filtering. And because the digitalocean load balancer x-forwarded-for header always contains the first true client IP, you can trust your logs, once your server is configured properly.
