diff --git a/doh-server/config.go b/doh-server/config.go
index 6d0d745..e51c07c 100644
--- a/doh-server/config.go
+++ b/doh-server/config.go
@@ -40,6 +40,7 @@ type config struct {
 	TCPOnly          bool     `toml:"tcp_only"`
 	Verbose          bool     `toml:"verbose"`
 	DebugHTTPHeaders []string `toml:"debug_http_headers"`
+	LogGuessedIP     bool     `toml:"log_guessed_client_ip"`
 }
 
 func loadConfig(path string) (*config, error) {
diff --git a/doh-server/doh-server.conf b/doh-server/doh-server.conf
index f9e2356..335fe86 100644
--- a/doh-server/doh-server.conf
+++ b/doh-server/doh-server.conf
@@ -38,3 +38,7 @@ tcp_only = false
 
 # Enable logging
 verbose = false
+
+# Enable log IP from HTTPS-reverse proxy header: X-Forwarded-For or X-Real-IP
+# Note: http uri/useragent log cannot be controlled by this config
+log_guessed_client_ip = false
diff --git a/doh-server/ietf.go b/doh-server/ietf.go
index f21b818..33a6170 100644
--- a/doh-server/ietf.go
+++ b/doh-server/ietf.go
@@ -30,6 +30,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"net"
 	"net/http"
 	"strconv"
 	"strings"
@@ -94,7 +95,15 @@ func (s *Server) parseRequestIETF(ctx context.Context, w http.ResponseWriter, r
 		} else {
 			questionType = strconv.FormatUint(uint64(question.Qtype), 10)
 		}
-		fmt.Printf("%s - - [%s] \"%s %s %s\"\n", r.RemoteAddr, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
+		var clientip net.IP = nil
+		if s.conf.LogGuessedIP {
+			clientip = s.findClientIP(r)
+		}
+		if clientip != nil {
+			fmt.Printf("%s - - [%s] \"%s %s %s\"\n", clientip, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
+		} else {
+			fmt.Printf("%s - - [%s] \"%s %s %s\"\n", r.RemoteAddr, time.Now().Format("02/Jan/2006:15:04:05 -0700"), questionName, questionClass, questionType)
+		}
 	}
 
 	transactionID := msg.Id