Optimizing Apache Logging Behind Load Balancers: A Smart Addition to the confdroid_apache Puppet Module
If you manage web applications on Rocky Linux (or similar RHEL-based systems), you know how useful a clean, minimal Apache base can be. That’s exactly what the confdroid_apache module delivers. It installs the core httpd packages, sets up the standard configuration files, includes everything in /etc/httpd/conf.d/*.conf, starts the service, and opens firewall ports 80 and 443. Nothing more, nothing less.
The beauty of this design is simplicity. Other modules—like the one for Nagios—can simply declare confdroid_apache as a dependency and then drop their own virtual hosts and site configs into the conf.d directory. No conflicts, no bloat.
You can explore the full module here:
Why Load Balancer Support Matters
When Apache sits behind a load balancer (HAProxy, NGINX, AWS ELB, etc.), every request appears to come from the load balancer’s IP address. That breaks two critical things:
- Access logs show the wrong client IP.
- Security tools like Fail2Ban see only the load balancer, so they can’t ban real attackers.
The fix is surprisingly small but powerful: enable Apache’s mod_remoteip module and rewrite the client address from the X-Forwarded-For header. On the Loadbalancer you also need to enable X-header-forwarding, i.e. setting ‘option forwardfor` on HAproxy.
The Clean Load-Balancer Config
Here’s the exact file the module deploys when you turn on load-balancer mode (ae_use_lb => true):
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy <IP or IP-range>
RemoteIPInternalProxy <IP or IP-range>
# mod_remoteip rewrites client address for %a; use it in common/combined logs.
LogFormat "%a %l %u %t \"%r\" %>s %b" common
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combinedThis single file goes into /etc/httpd/conf.d/loadbalancer-remoteip.conf and instantly fixes logging for every virtual host.
For this to work, the module remoteip needs to be loaded, which is done by default in RHEL-based systems.
Bonus: Perfect Synergy with confdroid_fail2ban
Once Apache logs the real client IP, your Fail2Ban jail rules (which usually read the Apache access log) start working exactly as expected. No more false negatives, no manual log parsing hacks. It’s a tiny change that makes your entire security stack dramatically more effective.
Quick Start
- Add the module via r10k / Puppetfile (already in the collection).
- Declare the class with
ae_use_lb=true(and your proxy range). - Let downstream modules (Nagios, WordPress, etc.) add their virtual hosts—they’ll automatically benefit from correct logging.
That’s it. You now have a rock-solid, production-ready Apache base that plays nicely behind load balancers and security tools.
If you’re already using confdroid_apache, try the load-balancer parameter today—it takes seconds to enable and saves hours of troubleshooting later. Happy Puppet-ing!
Did you find this post helpful? You can support me.
Related posts
- Confdroid Puppet Modules – Pilot
- Confdroid Puppet Modules – Puppet
- ConfDroid Puppet Modules – confdroid_resources
- ConfDroid Puppet Modules – Postgresql
- ConfDroid Puppet Modules – Gitea
Author Profile
Latest entries
blog14.03.2026Databases – Postgresql – PGbouncer- blog14.03.2026ConfDroid Puppet Modules – Apache
- blog13.03.2026Databases – Postgresql – Gitea and PGBouncer
- blog27.02.2026ConfDroid Puppet Modules – Gitea
