![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[FREE EBOOKS] Offensive Security Using Python, Learn Computer Forensics — 2nd edition & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Ditching a Microsoft Job to Enter Startup Purgatory with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-xl.jpg)
![Beats Studio Buds + On Sale for $99.95 [Lowest Price Ever]](https://www.iclarified.com/images/news/96983/96983/96983-640.jpg)
![New iPad 11 (A16) On Sale for Just $277.78! [Lowest Price Ever]](https://www.iclarified.com/images/news/97273/97273/97273-640.jpg)
![Apple's 11th Gen iPad Drops to New Low Price of $277.78 on Amazon [Updated]](https://images.macrumors.com/t/yQCVe42SNCzUyF04yj1XYLHG5FM=/2500x/article-new/2025/03/11th-gen-ipad-orange.jpeg)
![[Exclusive] Infinix GT DynaVue: a Prototype that could change everything!](https://www.gizchina.com/wp-content/uploads/images/2025/05/Screen-Shot-2025-05-10-at-16.07.40-PM-copy.png)
![T-Mobile discontinues a free number feature but a paid alternative exists [UPDATED]](https://m-cdn.phonearena.com/images/article/170235-two/T-Mobile-discontinues-a-free-number-feature-but-a-paid-alternative-exists-UPDATED.jpg?#)
How to Configure SafeLine WAF to Accurately Capture the Real Client IP
When reviewing attack logs in SafeLine WAF, you may notice that the source IPs sometimes seem incorrect. This guide explains why that happens—and how to ensure SafeLine captures the real client IP, especially when deployed behind proxies. Don’t want the full explanation? Jump to the conclusion for a quick fix. ❓ Why IPs Might Look Wrong By default, SafeLine reads the client IP from the socket of the incoming HTTP connection. This works perfectly if SafeLine is deployed as the outermost network device. However, in many production setups, SafeLine sits behind one or more proxies, such as: Nginx CDN providers Load balancers API gateways In these cases, the HTTP connection comes from the proxy, not the actual client. So SafeLine logs the proxy’s IP—not the attacker’s.
When reviewing attack logs in SafeLine WAF, you may notice that the source IPs sometimes seem incorrect. This guide explains why that happens—and how to ensure SafeLine captures the real client IP, especially when deployed behind proxies.
Don’t want the full explanation? Jump to the conclusion for a quick fix.
❓ Why IPs Might Look Wrong
By default, SafeLine reads the client IP from the socket of the incoming HTTP connection. This works perfectly if SafeLine is deployed as the outermost network device.
However, in many production setups, SafeLine sits behind one or more proxies, such as:
- Nginx
- CDN providers
- Load balancers
- API gateways
In these cases, the HTTP connection comes from the proxy, not the actual client. So SafeLine logs the proxy’s IP—not the attacker’s.
