Why is an internal IP address stored as a customer IP?

By running applications behind a loadbalancer or a Varnish, it can happen that the wrong IP address is used by PHP. The fact is that the last IP address is always stored in the HTTP header "REMOTE_ADDR". In this case, the internal IP address of the load balancer is always stored.

The original addresses of the customer and all other components are then stored in the HTTP header "X_FORWARDED_FOR" as a list.

Example of the HTTP headers for the customer IP address :

  • "REMOTE_ADDR": 10.xxx


PHP frameworks usually only handle the IP addresses from the "X_FORWARDED_FOR" header and then the IP addresses from the "REMOTE_ADDR" header. If there is a problem with this processing, the wrong IP address is used.

This includes:

  • Customer acquisition IP address purchases

  • IP address exceptions for maintenance mode


To work around this, the following PHP snippet has to be placed at the top right of <?php at the appropriate point * in the project:

1 2 3 4 5 6 7 8 9 # fix to replace remote_addr variable to match incorrect handling for x-forwarded-for (e.g order creation, request->getClientIp(), ...) if ( isset($_SERVER["HTTP_X_FORWARDED_FOR"]) && $_SERVER["HTTP_X_FORWARDED_FOR"] != null ) {     if ( stripos($_SERVER["HTTP_X_FORWARDED_FOR"], ",") ) {         $_SERVER["REMOTE_ADDR"] = substr($_SERVER["HTTP_X_FORWARDED_FOR"], 0, (int)stripos($_SERVER["HTTP_X_FORWARDED_FOR"], ","));     } else {         $_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_X_FORWARDED_FOR"];     } }

The script checks the existence of the HTTP header "X_FORWARDED_FOR" and transfers the real customer IP address to the HTTP header "REMOTE_ADDR". Since in most cases PHP uses the HTTP header "REMOTE_ADDR" to determine the IP address, the correct IP address is collected and processed by the snippet.

  • The snippet should be ideally complemented when using the source code. For example, directly in the source code of a plugin with the flawed behavior. Alternatively, this can also be overwritten for the entire application. In this case, the snippet must be added eg for shopware in the config.php or for Magento in the index.php above.


Using Shopware you have the option to add config value into config.php to activate usage of X-FORWARDED-FOR header.

1 2 3 4 'trustedproxies' =>     array (         $_SERVER['REMOTE_ADDR']     )

With this Shopware accepts all X-FORWARDED-FOR headers sent to Shopware, which will fix the IP addresses. This will not raise a security issues as in root360 environments it is ensured that only traffic from loadbalancers will be routed to Shopware.

Related tutorials

Related components