nginx – AWS WAF is not showing x-forward-for header in the logs

I want WAF to show x-forward-for header in the logs for creating a rule on the basis of header values.

Current Architecture

Client → AWS Global Accelerator → AWS WAF → ALB → NGINX (EC2) → Apache2/Laravel(ec2)

The Problem

I can see in my NGINX logs that the X-Forwarded-For header contains the correct client IP, but WAF doesn’t seem to be showing it in logs.

What I’ve Tried

• In NGINX access logs: X-Forwarded-For: 203.0.1.45, 70.132.x.x (where the first IP is the real client)
• Global Accelerator is preserving client IP in headers as expected
• ALB is configured with X-Forwarded-For header preservation
• I can see x-forward-for header in both website by dd(headers) and nginx logs

Application components:

• AWS WAF v2 (Regional, attached to ALB)
• AWS Global Accelerator (standard accelerator)
• Application Load Balancer
• NGINX
• Laravel application on Apache2

Question

How can I configure AWS WAF v2 to:

1. Extract the first IP address from the X-Forwarded-For header
2. Use this extracted IP for rate-limiting and geo-matching rules

• In NGINX access logs: X-Forwarded-For: 203.0.1.45, 70.132.x.x (where the first IP is the real client)
• Global Accelerator is preserving client IP in headers as expected
• ALB is configured with X-Forwarded-For header preservation
• I can see x-forward-for header in both website by dd(headers) and nginx logs