Really hope someone can help. I'm trying to the use the Sucuri CloudProxy reverse proxy on my new site.
To try and get the real IP I've installed mod_remoteip.so and it's loaded in my HTTPD config file (/etc/httpd/conf/httpd.conf):
LoadModule remoteip_module /usr/lib64/httpd/modules/mod_remoteip.so
I've also created /etc/httpd/conf.d/mod_remoteip.conf and in there I've added:
LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader HTTP_X_SUCURI_CLIENTIP
RemoteIPHeader HTTP_X_FORWARDED_FOR
RemoteIPHeader HTTP_X_REAL_IP
RemoteIPTrustedProxy 2a02:fe80::/29
RemoteIPTrustedProxy 192.88.134.0/23
Per their instructions here: https://kb.sucuri.net/cloudproxy/Troubleshooting/same-user-ip
I'm running Apache 2.4.6
httpd -v
Server version: Apache/2.4.6 (CentOS)
I'm also on CentOS 7:
cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core)
I've restarted apache multiple times, even tried rebooting, but no matter what I do I can't seem to get the real IP to show up in the logs.
I am using the right log format I believe:
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
I replaced %h with %a because I was reading on some troubleshooting pages that it had helped, but in my case it didn't. This was the site I was referencing: https://trick77.com/apache2-2-4-logging-remote-ip-address-using-mod_remoteip/
I'm reached the end of my wits.. :(.. any help is greatly appreciated..
It seems like your "RemoteIPHeader" is not configured properly. Remove what you have there and try to set it only as:
RemoteIPHeader X-Forwarded-For
And it should work. Hope it helps.
thanks,
Related
We try to identify the ssl_protocol is using when it communicated to Inbound Connectivity and so we tried to append this attribute \"%{SSL_PROTOCOL }e\" under LogFormat in httpd.conf file.
We formatted as in below manner.
LogFormat "%h %l %u %t %T\"%r\" %>s %b \"%{SSL_PROTOCOL}e\" " common
But still we are not able to capture the SSL_PROTOCOL details. Is that any pre-requisite needs to be done or any other alternative is to be done?
IBM HTTP Server uses %{SSL_PROTOCOL_VERSION}e and %{HTTPS_CIPHER}e for the handshake details.
Is there a way to log how long a call takes, as currently it only logs the time the call was made? I need the actual duration.
Thanks
Well one way to do it is using the already existing Apache logging feature.
So first check that you have this module activated in httpd.conf LoadModule log_config_module modules/mod_log_config.so it probably is.
Then change your LogFormat parameter to add these 2 new options
So if you start with
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
Then change it to
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" $$%T/%D$$" combined
Then make sure that the CustomLog parameter is using the newly changed combined output.
CustomLog "c:/wamp/logs/access.log" combined
All the directories in this example assume you are using WAMPServer, if not dont use the actual directories I have in this example.
%T shows The time taken to serve the request, in seconds.
%D shows The time taken to serve the request, in microseconds
This will give you the extra parameters at the end of each line in the access.log like so
mypc - - [24/Feb/2015:11:10:58 +0000] "GET /index.php?img=favicon HTTP/1.1" 200 1429 "-" "Mozilla/5.0 (Windows NT 6.1; rv:35.0) Gecko/20100101 Firefox/35.0" $$0/5000$$
You can change the $$ symbols I used here to whatever you like.
For the life of me, I couldn't get mod_remoteip to get client IPs in my Apache access logs. I'm working on a Virtualmin setup with Varnish 4 installed in front of Apache 2.4.7. How do you get it working?
I finally got the client IPs in the log and I found the last step here:
Here are the steps to getting it to work:
Get Varnish to pass a header to Apache with the client IP. You do this by including this bit of code (found in this answer) at the very beginning of your vcl_recv:
if (req.restarts == 0) {
if (req.http.X-Forwarded-For) {
set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip;
} else {
set req.http.X-Forwarded-For = client.ip;
}
}
Now enable mod_remoteip in Apache.
Edit your Apache config to tell mod_remoteip what header contains the client IP (from Apache docs). I'm using X-Forwarded-For, but I suppose this could be anything as long as it matches what you've configured Varnish to pass along:
RemoteIPHeader X-Forwarded-For
If you restarted Apache and Varnish right now, I bet Apache will now reference the client IP instead of 127.0.0.1 everywhere. Except in the access logs which is where I've been checking. To get the access logs to show the client IP, we need to modify the log format Apache it's using. In my case, this was the "combined" format. This was my breakthrough and I found it here which links to this excellent information for our purposes.
This is what my combined log format looked like:
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
And I just substituted %a in where %h was and this is what it looks like:
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
And finally, here's what a block of my Apache config file looks like (mod_remoteip loading prior to it):
# Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
# Use mod_remoteip instead.
RemoteIPHeader X-Forwarded-For
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
I am attempting to perform some data analysis on a set of Apache access logs that were passed on to me, but I noticed these logs do not seem to be in a conventional format (based on a few other Apache log examples I found online). Following is one row extracted from one of my log files (after some anonymization):
2013-08-25 10:06:11 EDT - "GET http://www.siteaddress.com/section/aaa/z/directory HTTP/1.1" 404 1677 1.2.181.171 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" - 0 155311 -
Is there any way I can find out what format is being used to record these logs? That is, how would I go about getting some sort of a header for this file? Ps.: I have access to the server that is capturing these logs and could use it to find that information out.
Edit 1: I was told to check the content of /etc/apache2/httpd.conf, which I found to be empty.
Edit 2: The following relevant piece was found within apache2.conf but I'm not quite sure these match what I'm seeing in the logs.
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
Edit 3: Found this within /etc/apache2/sites-available/hub and it seems to match my format (Thanks a lot!)
LogFormat "%{%Y-%m-%d %H:%M:%S %Z}t %u \"%r\" %>s %B %a \"%{Referer}i\" \"%{User-Agent}i\" - %T %D -"
In debian based distros, the config is split into multiple files. Main configuration is /etc/apache2/apache2.conf, while all vHosts (that are used by default) are configured in /etc/apache2/sites-available (they might not be active though, when activating virtual hosts using a2ensite a symlink in /etc/apache2/sites-enabled/ is created, from where the files get included)
If you have never messed with the config, the log format should either be set in
/etc/apache2/sites-available/default inside the VirtualHost container ot in apache2.conf
You can find the format specification in one of the Apache configuration files; depending on your server configuration, that may be the primary config file (/etc/apache2/apache2.conf, probably; that's the default on Debian and its derivates, while /etc/httpd/httpd.conf is common among the Rat Head family), or in the configuration file for the virtual host whose logs you're looking at (/etc/apache2/sites-enabled/* for Debian and company, God only knows where for Rat Head).
The configuration directive you're after will be either LogFormat, which aliases a format string to a short name, or CustomLog, which uses either a format string, or a short name defined earlier in a LogFormat directive, to specify an actual logging format.
The format string syntax is detailed in the Apache documentation.
To save you some time, from eyeballing the sample line and having had considerable experience of Apache logs, most of the format appears to be:
<datetime> - "<request method> <url> <HTTP version>" <response status> <response length> <client address> "<request Referer: header value?>" "<request User-Agent: header value>" - ?? <response duration in microseconds?> - <newline>
I don't know offhand what the parts involving question marks are, but the rest seem pretty obvious.
I want to change the log format to include the website host, but I don't know how to change it in PLESK.
Webservers that have Plesk installed use a format for logging defined in the Plesk configuration file /etc/httpd/conf.d/zz010_psa_httpd.conf
After looking on some posts on the PLESK forums, the solution that worked was to redefine the plesklog format, just after including the plesk configuration.
To do that I had to edit /etc/httpd/conf/httpd.conf and go to the part that says:
#
# Load config files from the config directory "/etc/httpd/conf.d".
#
Include conf.d/*.conf
And add after that the new log format for plesklog:
# Redefine plesk log format
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{Host}i" plesklog
After that I have restarted apache with:
service httpd restart
And now I can check that my website logs are being saved in the new defined format:
tail -f /var/www/vhosts/<your-domain-here>/statistics/logs/access_log
Hope it helps someone!