9th February

in Load Balancing

Apache and X-Forwarded-For Headers

Posted by Rob Cooper

It’s easier to get Apache to log client IP addresses utilizing X-Forwarded-For headers than it is using IIS. By default, the logs do not record source IP addresses for clients but as of Apache version 2.4 you can use the ErrorLogFormat directive in the httpd.conf file as explained below.

–> Were you were actually looking for how to do XFF on IIS?

There’s been a lot of debate in the office about how is best to capture both your Loadbalancer’s IP and the Source IP of the user in your access_log in Apache 2.4, and this is the tried and tested way that we have come up with.

How to log X-Forwarded For headers using Apache 2.4:

When you start out, your httpd.conf will look something like this:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combined

Now the %h is already there to capture your header, which, by default, will capture the IP of the Loadbalancer (the last proxy server that the traffic came from)

Now assuming you have X-Forwarded-For enabled in the load balancer (or whatever proxy server you are using).

You can also capture the source IP from the origional client, your LogFormat entry will need to look like this:

RemoteIPHeader X-Forwarded-For
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " combine
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined-forwarded

What this comes back with is both the IP of your Loadbalancer and the Source IP.

192.168.85.0 192.168.85.21 - - [15/Sep/2016:12:23:16 +0100] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36\

For clarity, 192.168.85.0 is my source machine and 192.168.85.21 is my Loadbalancer.

apache_feather

How to log X-Forwarded For headers using Apache 2.2:

The standard LogFormat directive:

LogFormat "%h %l %u %t "%r" %>s %b" common

To add the clients source IP address, just change this to:

LogFormat "%h %l %u %t "%r" %>s %b %{X-Forwarded-For}i" common

To add the clients source IP address and put quotes around each field (useful when importing the logs into a spreadsheet or database):

LogFormat ""%h" "%l" "%u" "%t" "%r" "%>s" "%b" "%{X-Forwarded-For}i"" common

Once you’ve made the change, restart Apache and you’re done. The examples below show the resulting log entries for each configuration.

Standard logs:

192.168.2.210 - - [09/Feb/2011:09:59:31 +0000] "GET / HTTP/1.1" 200 44

Client IP’s added:

192.168.2.210 - - [09/Feb/2011:10:00:16 +0000] "GET / HTTP/1.1" 200 44 192.168.2.7

Client IP’s added and all fields encapsulated in quotes:

"192.168.2.210" "-" "-" "[09/Feb/2011:10:01:10 +0000]" "GET / HTTP/1.1" "200" "44""192.168.2.7"

N.B.

192.168.2.210 is the IP of the Ethernet interface (eth0) on the load balancer

192.168.2.7 is the IP of my test PC

One other point, if you also have Pound SSL in your configuration, once you’ve added the X-Forwarded-For bit to your LogFormat directive, the logs will also record an additional entry for the Pound virtual server as shown below:

192.168.2.210 - - [09/Feb/2011:10:02:16 +0000] "GET / HTTP/1.1" 200 44 192.168.2.7, 192.168.2.212

The additional IP address (192.168.2.212) in this example  is the IP of the Pound Virtual Server.

About the author

Rob Cooper

Rob’s been with the company since 2010 and helps to maintain the critical link between the Sales, Support and Development departments by providing deployment, testing and documentation skills. He’s also responsible for all Microsoft and VMware approvals and certifications and ensuring ongoing compliance. When not at the Loadbalancer.org offices he enjoys getting out on his boat as well as playing bass guitar.

Live chat