Learn how to verify real client IP in Linode NodeBalancer with Proxy Protocol. Clear steps xact Nginx configs, logs, and testing commands. Our 24/7 Linode Live Support Team is always here to help you.
If you run apps behind a load balancer, you already know the pain. Logs show the load balancer IP, not the real visitor. Rate limits fail. Geo rules break. Debugging turns into guesswork. This guide shows how to Verify Client IP in Linode NodeBalancer with Proxy Protocol without hacks, guesswork, or half-working headers.
Let’s walk through it cleanly, using Nginx and Linode’s NodeBalancer.
What is Proxy Protocol (and why it matters)
A Proxy Protocol is a small header added before the actual TCP connection. It carries the original client’s IP, port, and protocol details from the load balancer to your server. As a result, your backend finally sees the real visitor instead of the balancer.
Because of this, logging becomes accurate. Security rules work again. Audits make sense. Most importantly, you regain visibility.
Steps
Create a Linode VM (with private IP)
First, create a Linode in the same region where your NodeBalancer will live. During setup, enable Private IP.
Install Nginx using user data or SSH:
#!/bin/bash
apt-get update -y && apt-get upgrade -y
apt-get install nginx -yAfter boot, verify networking:
ifconfigYou should see:
- eth0 → public + private IP
- eth1 → VLAN interface
This matters because NodeBalancer talks over private IP only.
Create NodeBalancer with Proxy Protocol enabled
Now create a NodeBalancer in the same region.
- Protocol: TCP
- Enable: Proxy Protocol (v1 or v2)
- Backend: your Nginx VM (private IP)
At this stage, Linode starts injecting Proxy Protocol headers before every request.
Observe the problem (before fix)
Check Nginx logs:
tail -f /var/log/nginx/access.logYou’ll notice requests coming from something like 192.168.255.20. That’s the NodeBalancer, not the user. So far, nothing is fixed.
Configure Nginx to accept Proxy Protocol
Edit Nginx config:
vi /etc/nginx/nginx.confAdd or update the following:
http {
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
server {
listen 80 proxy_protocol;
server_name localhost;
set_real_ip_from 0.0.0.0/0; # replace with NodeBalancer private IP later
real_ip_header proxy_protocol;
}
log_format main '$proxy_protocol_addr:$proxy_protocol_port '
'$remote_addr - - [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log main;
}Test and restart:
nginx -t
systemctl restart nginxAt this point, you’ve officially configured Nginx to Verify Client IP in Linode NodeBalancer with Proxy Protocol.
Final verification (no assumptions)
Capture traffic:
tcpdump -i eth0 src host 192.168.255.20Then check logs again:
tail -f /var/log/nginx/access.logYou’ll now see two IPs:
- Real client IP (first)
- NodeBalancer private IP (second)
That confirms the setup works.
Restore real visitor visibility today
Why this setup is worth it
First, logs finally tell the truth. Next, security rules behave correctly. Then, analytics improves. Above all, debugging becomes sane again. This is why teams running serious workloads with Proxy Protocol instead of relying on headers alone.
Conlcusion
Load balancers don’t have to blind your servers. With the right setup, you can Verify Client IP in Linode NodeBalancer with Proxy Protocol, keep your logs clean, and protect your application the right way.
