« Beginning Google App Engine Book Released | Main | Cay Horstmann: Integrating JSF 2.0 with Tomcat »

12/28/2009

How To Log Client IP AND X-Forwarded-For IP in Apache

When you utilize a device like a BigIP LTM to load-balance your web servers, a typical configuration masks the client IP address.  The BigIP essentially proxies requests on behalf of the browser, so the only thing your web server sees is the IP address of the BigIP itself.  The BigIP utilizes an industry-standard (but not HTTP standard) mechanism for storing the customer IP address into an HTTP Request Header called the X-Forwarded-For header.  Typically, you configure your Apache servers to log the value from the X-Forwarded-For header instead of logging the client IP.  

This all works great except when you access the web server directly, bypassing the BigIP.  Since the BigIP (or other proxy) is inserting the X-Forwarded-For header and your browser is not, nothing gets logged in the Apache access logs so you have no simple way to determine which internal user or monitor just took your site down with that vulnerability scan.  You can still figure it out based on user-agent and communication with your peers but we sysadmins are like the police on TV—we like to have all the damning evidence at hand before "interviewing" the perp.

The following HOWTO details a mechanism for logging both, depending upon whether an X-Forwarded-For value exists or not.  HOWTO: Log Client IP AND X-Forwarded-For IP in Apache. It also includes a basic groovy script for validating.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbc6fe6970c0128767a257c970c

Listed below are links to weblogs that reference How To Log Client IP AND X-Forwarded-For IP in Apache:

Comments