Apache/Ubuntu Stack Behind a Reverse Proxy – How to Log the X-Forwarded-For Header and Disable Logging of Proxy Health Checks
Apache HTTP Server sitting behind a reverse proxy is a very common setup, however, by default, Apache will log the source IP address inside the layer 3 header as opposed to the X-Forwarded-Header. This can be inconvenient when checking server logs, because everything will appear as though it is coming from the same IP address.
Another issue that can make poking through logs a bit more painful, is the logging of the constant health checks initiated from the reverse proxy. The logging of these health checks by Apache can lead to the log filling up rapidly with line after line of redundant text.
As you can see, all of this adds complexity to log analysis. If you’re seeking solutions to address these issues, look no further – this guide is designed specifically for you!
Part 1: Log the X-Forwarded-For Header vs L3 IP
Step 1 – Enable the RemoteIP Module
Enable the remoteip module by typing the following:
rmtech@testserver:~$ sudo a2enmod remoteip
Step 2 – RemoteIP Module Configuration
Navigate to /etc/apache2/conf-available and create a configuration file named remoteip.conf.
rmtech@testserver:~$ cd /etc/apache2/conf-available
rmtech@testserver:/etc/apache2/conf-available$ sudo nano remoteip.conf
Nano is being used in this example, however any text editor will work fine.
Add the following contents to the file:
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy x.x.x.x
Replace x.x.x.x with the IP address of the reverse proxy. You can also add multiple addresses by adding a space in between them, or define a subnet in CIDR notation.
Examples:
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.1.21.3
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.1.21.3 10.1.21.4
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 10.1.21.0/24
If you are not using RFC 1918 addressing in your network, use the
RemoteIPTrustedProxy directive instead of RemoteIPInternalProxy.
After confirming that everything is correct, save the file and exit the text editor.
Nano Users: Press [ctrl] + [x] (which will prompt you to save) and then [y] followed by [enter].
Next, enable configuration:
rmtech@testserver:/etc/apache2/conf-available$ sudo a2enconf remoteip
Step 3 – Modify the Log Format
Navigate to /etc/apache2, and open apache2.conf.
rmtech@testserver:/etc/apache2/conf-available$ cd /etc/apache2
rmtech@testserver:/etc/apache2$ sudo nano apache2.conf
Scroll down until you see the LogFormat lines:
LogFormat “%v:%p %h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%h %l %u %t \”%r\” %>s %O” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
Look closely, there are 3 places where %h exists:
LogFormat “%v:%p %h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%h %l %u %t \”%r\” %>s %O” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
Replace every instance of %h with %a:
LogFormat “%v:%p %a %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%a %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%a %l %u %t \”%r\” %>s %O” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
Save and exit the text editor.
Restart the Apache service:
rmtech@testserver:/etc/apache2$ sudo service apache2 restart
Part 2: Disable Logging of Proxy Health Checks
Step 1 – Enable the SetEnvIF Module
Enable the SetEnvIf module by typing the following:
rmtech@testserver:~$ sudo a2enmod setenvif
Step 2 – Add the SetEnvIf Directive to Apache2.conf
Navigate to /etc/apache2, and open apache2.conf.
rmtech@testserver:~$ cd /etc/apache2
rmtech@testserver:/etc/apache2$ sudo nano apache2.conf
Scroll down until you see LogFormat:
LogFormat “%v:%p %h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%h %l %u %t \”%r\” %>s %O” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
Insert the following line:
SetEnvIf Remote_Addr “^x\.x\.x\.x” is-nolog=1
LogFormat “%v:%p %h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%h %l %u %t \”%r\” %>s %O” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
Replace x\.x\.x\.x with the IP address you wish omit from the log. In this example, each x is a placeholder for up to 3 digits for each octet of the IP address.
The IP address must be formatted correctly.
E.g. If the IP was 10.1.21.3, it would look like this: “^10\.1\.21\.3”
You can add multiple IP addresses by adding multiple statements.
Examples:
SetEnvIf Remote_Addr “^10\.1\.21\.3” is-nolog=1
LogFormat “%v:%p %a %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%a %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%a %l %u %t \”%r\” %>s %O” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
SetEnvIf Remote_Addr “^10\.1\.21\.3” is-nolog=1
SetEnvIf Remote_Addr “^10\.1\.21\.4” is-nolog=1
SetEnvIf Remote_Addr “^10\.1\.21\.5” is-nolog=1
SetEnvIf Remote_Addr “^10\.1\.21\.6” is-nolog=1
LogFormat “%v:%p %a %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%a %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%a %l %u %t \”%r\” %>s %O” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
Save and exit the text editor.
Step 3 – Add the CustomLog Directive to the Virtualhost Configuration File
Navigate to /etc/apache2/sites-available and open the virtual host file for your website. In this example, rmtech.conf will be used.
rmtech@testserver:/etc/apache2$ cd /etc/apache2/sites-available
rmtech@testserver:/etc/apache2/sites-available$ sudo nano rmtech.conf
Insert the CustomLog directive and conditions into the <VirtualHost> section of the config file.
Example:
<VirtualHost *:80>
ServerName test.rmtechcentral.com
ServerAlias test.rmtechcentral.com
DocumentRoot /usr/share/demo/wordpress
CustomLog ${APACHE_LOG_DIR}/website_access.log common env=!is-nolog
ErrorLog ${APACHE_LOG_DIR}/error.log
</VirtualHost>
Modify the log dir, log file, and log format as needed to suit your personal preferences.
env=!is-nolog is what instructs apache to not log the
ip address(es) which were defined earlier, in apache2.conf.
Here is the full breakdown:
- ${APACHE_LOG_DIR} – Indicates that the default log directory should be used. This can be changed if you would like to write logs to a different directory.
- website_access.log – Defines the custom log file.
- common – Defines the log format. You can also use combined log format if you wish.
- env=!is-nolog – Instructs apache to not log the ip address(es) which were defined earlier, in apache2.conf.
- ErrorLog ${APACHE_LOG_DIR}/error.log – Defines a custom error log, but we just went with the default here.
Save the file and restart the apache service.
rmtech@testserver:/etc/apache2/sites-available$ sudo service apache2 restart
Congrats! You’re Done!
Go check the logs to confirm that everything is working as intended.
Did you find this page helpful?
PID: 20231209-00001