What do you think? Discuss, post comments, or ask questions at the end of this article [More about me]

Skip to end of metadata
Go to start of metadata

Problem

When using a reverse proxy (such as is outlined here), logs such as /var/log/apache2/other_vhosts_access.log will likely show the ip address of the proxy (not the client's ip address).

Solution

We can use remoteip and X-Forwarded-For to pass the clients ip address for logging purposes.  This requires a few changes to the apache2.conf file.

You'll need to implement the following using either the a2enconf method or put it in each individual vhosts directive for specific sites.

Suggested method: a2enconf

This method is the suggested method since we can keep our vhost directives clean and implement the X-Forward-For as default.

Create a apache2 conf file (we'll call it remoteip.conf)

sudo nano /etc/apache2/conf-available/remoteip.conf

 Add this:

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1

Save and exit, and then enable the remoteip mod this conf by

sudo a2enmod remoteip
sudo a2enconf remoteip.conf

Alternative method: vhosts method

I'm assuming your apache2 <proxy>.conf file is of the form discussed in Apache reverse-proxy SSL to multiple server applications.  You'll need to add RemoteIPHeader and RemoteIPTrustedProxy to each on the<VirtualHost *:443> code blocks.  For example:

<VirtualHost *:443>
    ServerName confluence.example.com
     
    ProxyRequests Off
    ProxyVia Off
    ProxyPreserveHost On
     
    <Proxy *>
         Require all granted
    </Proxy>
  
    ProxyPass / http://127.0.0.1:8090/
    ProxyPassReverse / http://127.0.0.1:8090/
     
    RemoteIPHeader X-Forwarded-For
    RemoteIPTrustedProxy 127.0.0.1   
 
    SSLEngine On
    SSLCertificateFile </path/to/fullchain.pem>
    SSLCertificateKeyFile <path/to/privkey.pem>
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Editing apache2.conf

Regardless of which of the method above you use, you'll now need to make a quick change to the /etc/apache2/apache2.conf file.

Search for the LogFormat arugments, you'll basically need to replace the %h instances with %a.  It should look something like this when you're done:

Excerpt from /etc/apache2/apache2.conf
LogFormat "%v:%p %a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%a %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

Finally, reload the apache2 configuration files (or restart apache2) with:

sudo service apache2 reload

References

  1. https://trick77.com/apache2-2-4-logging-remote-ip-address-using-mod_remoteip/
  2. https://www.globo.tech/learning-center/x-forwarded-for-ip-apache-web-server/