httpd access log, ip logged is reversed proxy how to find actual proxy

Check access log and found out that the IP that was logged from users came from the reversed proxy server.

The setup is like this

www.abc.com -> reversed proxy to my server 123.123.123.123 

Is there anyway to configure the http access log to tracked actual incoming IP behind reversed proxy server?


You're looking for the X-Forwarded-For header. Any proxy worth its salt will add this header to HTTP requests it is forwarding.

If your entire site is behind this proxy, then you need to find the relevant LogFormat for it, which will typically look like this:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

and add the header to it (or swap out the %h which is only ever going to be your reverse proxy) like this:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

If you don't want to redefine the combined log format then create your own:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined_proxy
CustomLog /path/to/logfile.log combined_proxy

%{<header>}i is a way to get any other request header into your log files.

Note: That header will not always necessarily be a single IP address. If the request has come through more than one proxy, then you'll get a comma separated list of the form: client, proxy1, proxy2; you may need to update your scripts or log scrapers to accommodate this.


Yes, there is.

For the current version of Apache: mod_rpaf
For anything later than the 2.3 branch: mod_remoteip

Both of these will replace the REMOTE_ADDR variable in the running Apache process with the last IP from the incoming X-Forwarded-For header from any trusted reverse proxy. This IP address will also be logged in your standard Apache logs without having to change them at all.

This variable will also be available to your PHP code as $_SERVER['REMOTE_ADDR'] which is where you would normally expect the remote IP address to be.

The only configuration that is required for these modules it to supply them with a list of trusted reverse proxies.

On a security note, these headers can be added, removed, faked and possibly mangled. There is no guarantee that any IP address you get from this header is the true IP address of the visitor. The last one in the list (which is the one added by your trusted reverse proxy) is the only one you can be certain of.