Real IP when nginx, darkhttpd are behind HAProxy

By chimo on Jan. 25, 2026 (updated on Jan. 25, 2026)

I use HAProxy as an entry point for most of the traffic hitting this server. Past that, I either have nginx fronting dynamic applications, or darkhttpd fronting static sites (such as this blog). This means that, unless configured otherwise, client IP addresses are known by HAProxy but applications behind it see all traffic coming from the HAProxy instance’s IP address.

HAProxy

One way you can expose the client’s IP address to the applications is using HAProxy’s “forwardfor” directive:

/etc/haproxy/haproxy.cfg

frontend main
    option forwardfor

This tells HAProxy to add the client’s IP address to the value of “X-Forwarded-For” HTTP Header.

Now that the information is forwarded to the rest of the stack, it can be used in the logs, for example.

nginx

For nginx, we can tell it to use the IP address in the “X-Forwarded-For” header as the client’s IP in its logs with the “real_ip_header” directive:

/etc/nginx/http.d/app.conf

location / {
    ...
    real_ip_header X-Forwarded-For;
    ...
}

darkhttpd

The next version of darkhttpd might include a `--trusted-ip` option, which tells darkhttpd to use the value of “X-Forwarded-For” as the client’s IP address if the traffic is coming from a proxy matching the “trusted-ip” value.

I tweaked the Alpine Linux darkhttpd APKBUILD and created my own darkhttpd-git package to test this out. It’s currently serving this blog and seems to work as intended:

/etc/conf.d/darkhttpd

darkhttpd_args="--trusted-ip x.x.x.x"