diff --git a/component/apache/apache-backend.conf.in b/component/apache/apache-backend.conf.in
index 337a4a6ab79ee6a90a66ecb8266196788c194d99..c9501d1c248951394cff15a2524c720b00ecfda3 100644
--- a/component/apache/apache-backend.conf.in
+++ b/component/apache/apache-backend.conf.in
@@ -135,10 +135,11 @@ SSLProxyEngine On
 
 # As backend is trusting Remote-User header unset it always
 RequestHeader unset Remote-User
+# Drop incoming X-Forwarded-For without valid client authentication
+RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
 {% if ca_cert_dir -%}
 SSLVerifyClient optional
 RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
 SSLCACertificatePath {{ ca_cert_dir }}
 {%   if crl_dir -%}
 SSLCARevocationCheck chain
diff --git a/component/apache/buildout.hash.cfg b/component/apache/buildout.hash.cfg
index 6c800b550f543e96df5b5acc2d1f5d6f019ca69d..57005d4ba251284ee9fa547183a86f6126b9387f 100644
--- a/component/apache/buildout.hash.cfg
+++ b/component/apache/buildout.hash.cfg
@@ -14,5 +14,5 @@
 # not need these here).
 [template-apache-backend-conf]
 filename = apache-backend.conf.in
-md5sum = 68ce79573bb2b39625ee6ef57c2e7f14
+md5sum = 5c6d6aacc092b23a02e1c6f4d51e8127