Learn how to correctly handle real client IPs using DigitalOcean Load Balancer X-Forwarded-For with Nginx, including exact configs and commands. Our 24/7 DigitalOcean Live Support Team is always here to help you.
If you’re running your app behind a DigitalOcean Load Balancer and every request shows the same IP, you’re not alone. Logs break, rate limits fail, analytics go blind, all because the real visitor IP is hidden. This is exactly where digitalocean load balancer x-forwarded-for becomes critical.
Let’s fix it properly. Just what actually works.
Overview
Why the Client IP Disappears Behind DigitalOcean Load Balancer
By default, DigitalOcean Load Balancers act as a reverse proxy. So instead of passing the visitor’s IP directly to your Droplet, they forward traffic using headers.
The most important header here is:
X-Forwarded-ForThis header contains the original client IP plus any proxy IPs in the chain. However, unless your web server is told to trust and read it, you’ll only see the load balancer’s private IP.
That’s the core issue people hit with digitalocean load balancer x-forwarded-for.
How DigitalOcean Sends X-Forwarded-For
DigitalOcean automatically adds these headers:
- X-Forwarded-For → original client IP
- X-Forwarded-Proto → http or https
- X-Forwarded-Port → request port
You do not need to configure this on the load balancer side. The fix happens on your Droplet.
Nginx Fix: Trust DigitalOcean Load Balancer IPs
Since Nginx is the most common setup, let’s start there.
Install real IP module (usually preinstalled)
nginx -V 2>&1 | grep realipIf you see –with-http_realip_module, you’re good.
Update Nginx config
Edit your main Nginx config or site file:
sudo nano /etc/nginx/nginx.confAdd inside the http block:
set_real_ip_from 10.0.0.0/8;
real_ip_header X-Forwarded-For;
real_ip_recursive on;Why this works:
- DigitalOcean Load Balancers use private IP ranges
- Nginx now trusts those IPs
- The real client IP is extracted correctly
This is the most reliable digitalocean load balancer x-forwarded-for configuration.
Reload Nginx
sudo nginx -t
sudo systemctl reload nginxConfirm It’s Working (Don’t Skip This)
Run:
tail -f /var/log/nginx/access.logThen open your site in a browser.
If you now see your real public IP, the DigitalOcean Load Balancer X-Forwarded-For setup is complete.
Fix Real IP Logging Today
Bonus: PHP / Laravel / WordPress Compatibility
Most modern apps already respect X-Forwarded-For, but only if the web server passes it correctly.
For WordPress on Nginx, no plugin is required once the server config is fixed.
For Laravel, ensure trusted proxies include private ranges:
protected $proxies = '*';Common Mistakes That Break X-Forwarded-For
- Trusting 0.0.0.0/0 (security risk)
- Forgetting real_ip_recursive on
- Restarting Nginx without testing config
- Assuming DigitalOcean needs LB-side changes (it doesn’t)
Avoid these and your setup stays clean.
Conclusion
Getting real IPs isn’t optional anymore. Security rules, analytics, and performance tools depend on it. Once configured, digitalocean load balancer x-forwarded-for works quietly in the background and never needs revisiting.
