We Keep Coding

Running tomcat behind multiple httpd proxy, how to log the IP of which proxy server the request goes through

My system is running as architecture below
clients -> physical LB -> httpd reverse proxy (multiple servers) -> tomcat (multiple servers)
my question is how I could log the IP of the proxy server that the request goes through into the tomcat access log?
here is my tomcat server.xml config
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="x-forwarded-for"
proxiesHeader="x-forwarded-by"
protocolHeader="x-forwarded-proto"
/>
<Valve className="org.apache.catalina.valves.AccessLogValve"
requestAttributesEnabled="true"
directory="${LOG_DIR}/tomcat"
prefix="access."
suffix=".log"
pattern="%h %{org.apache.tomcat.remoteAddr}r %{X-Forwarded-For}i %A %{Host}i %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i" %I %D "%S" "%{COOKIE}i""
resolveHosts="false"
fileDateFormat="yyyy-MM-dd"
rotatable="true"
/>

Can't get Logs to Show Real IP w/ mod_remoteip and Sucuri

Really hope someone can help. I'm trying to the use the Sucuri CloudProxy reverse proxy on my new site.
To try and get the real IP I've installed mod_remoteip.so and it's loaded in my HTTPD config file (/etc/httpd/conf/httpd.conf):
LoadModule remoteip_module /usr/lib64/httpd/modules/mod_remoteip.so
I've also created /etc/httpd/conf.d/mod_remoteip.conf and in there I've added:
LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader HTTP_X_SUCURI_CLIENTIP
RemoteIPHeader HTTP_X_FORWARDED_FOR
RemoteIPHeader HTTP_X_REAL_IP
RemoteIPTrustedProxy 2a02:fe80::/29
RemoteIPTrustedProxy 192.88.134.0/23
Per their instructions here: https://kb.sucuri.net/cloudproxy/Troubleshooting/same-user-ip
I'm running Apache 2.4.6
httpd -v
Server version: Apache/2.4.6 (CentOS)
I'm also on CentOS 7:
cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core)
I've restarted apache multiple times, even tried rebooting, but no matter what I do I can't seem to get the real IP to show up in the logs.
I am using the right log format I believe:
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
I replaced %h with %a because I was reading on some troubleshooting pages that it had helped, but in my case it didn't. This was the site I was referencing: https://trick77.com/apache2-2-4-logging-remote-ip-address-using-mod_remoteip/
I'm reached the end of my wits.. :(.. any help is greatly appreciated..

It seems like your "RemoteIPHeader" is not configured properly. Remove what you have there and try to set it only as:
RemoteIPHeader X-Forwarded-For
And it should work. Hope it helps.
thanks,

How to create tomcat access log setup?

<Valve
className="org.apache.catalina.valves.AccessLogValve"
directory="${catalina.base}/logs"
prefix="access_log"
fileDateFormat="yyyy-MM-dd.HH"
suffix=".log"
pattern="%t %H cookie:%{SESSIONID}c request:%{SESSIONID}r %m %U %s %q %r"
/>
But it is not working for me..No logs are being created. I want all the info of client including access time,IP, host,proxy IP,hostname.

For time,IP, host,proxy IP,hostname - Check link for reference. Use Following
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
logs are not created because of directory="${catalina.base}/logs". Directory description is
Absolute or relative pathname of a directory in which log files created by this valve will be placed. If a relative path is specified, it is interpreted as relative to $CATALINA_BASE. If no directory attribute is specified, the default value is "logs" (relative to $CATALINA_BASE).
You must specify only directory="logs".

userid is not printed in Apache access logs

I have a production setup as
webSEAL --> F5 --> 2 Apache --- 2 weblogic servers.
For every request webSEAL logs prints logged-in user-id and weblogic which is at the very last in infrastructure chain also have the user-id available in weblogic http access.log (not application log but weblogic internal access logs) but there's nothing shown in Apache.
Even when I added new logging configuration at apache, it's not printing the user_id in apache access logs.It just print a dash - (information not available).
following is the added configuration in httpd.conf and output.
LogFormat "%h %V %u %t \"%r\" %>s" test
CustomLog logs/testLogs testFormat
***192.168.44.53 localhost - [11/Jun/2015:23:21:39 +0200] "HEAD / HTTP/1.1" 200***
What else do I need to do to "make user-id available to Apache instance".
This is the reference for Apache 2.0X which I'm using in my environment.
http://httpd.apache.org/docs/2.0/logs.html

The %u pattern code logs the remote username if the request was authenticated with HTTP Basic or Digest authentication. In the example log entry this value is "-", meaning that the request was not authenticated with HTTP Basic or Digest authentication.
You can use Apache to log client IP addresses utilizing X-Forwarded-For headers .
The standard LogFormat directive:
LogFormat “%h %l %u %t “%r” %>s %b” common
To add the clients source IP address, just change this to:
LogFormat “%h %l %u %t “%r” %>s %b %{X-Forwarded-For}i” common
Standard logs:
192.168.2.210 – – [09/Feb/2011:09:59:31 +0000] “GET / HTTP/1.1″ 200 44
Client IP’s added:
192.168.2.210 – – [09/Feb/2011:10:00:16 +0000] “GET / HTTP/1.1″ 200 44 192.168.2.7

Getting Apache 2.4 access logs to show client IP instead of 127.0.0.1 with Varnish using mod_remoteip

For the life of me, I couldn't get mod_remoteip to get client IPs in my Apache access logs. I'm working on a Virtualmin setup with Varnish 4 installed in front of Apache 2.4.7. How do you get it working?

I finally got the client IPs in the log and I found the last step here:
Here are the steps to getting it to work:
Get Varnish to pass a header to Apache with the client IP. You do this by including this bit of code (found in this answer) at the very beginning of your vcl_recv:
if (req.restarts == 0) {
if (req.http.X-Forwarded-For) {
set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
} else {
set req.http.X-Forwarded-For = client.ip;
}
}
Now enable mod_remoteip in Apache.
Edit your Apache config to tell mod_remoteip what header contains the client IP (from Apache docs). I'm using X-Forwarded-For, but I suppose this could be anything as long as it matches what you've configured Varnish to pass along:
RemoteIPHeader X-Forwarded-For
If you restarted Apache and Varnish right now, I bet Apache will now reference the client IP instead of 127.0.0.1 everywhere. Except in the access logs which is where I've been checking. To get the access logs to show the client IP, we need to modify the log format Apache it's using. In my case, this was the "combined" format. This was my breakthrough and I found it here which links to this excellent information for our purposes.
This is what my combined log format looked like:
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
And I just substituted %a in where %h was and this is what it looks like:
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
And finally, here's what a block of my Apache config file looks like (mod_remoteip loading prior to it):
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
RemoteIPHeader X-Forwarded-For
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined