Logging HTTP_X_FORWARDED_FOR

HTTP_X_FORWARDED_FOR is an environment variable that holds the actual origin address of web clients coming in through a proxy. Following are instructions on including this in Apache logs.


Enterprise environments typically have firewalls, load-balancers and proxies between Internet users and the web servers providing content.

A common problem is that these devices can mask the real origin IP address of Internet clients, making auditing, tracking and problem resolution much more difficult (or impossible), unless the logs of those intervening devices are readily available to administrators.

If HTTP_X_FORWARDED_FOR is available (you can check this by using one of the environment scripts I’ve posted in other articles, like this perl cgi script or this php script, if it isn’t available you may want to make inquiries about how to get it turned on), and you’re using the Apache web server, you can modify your access log format to include it.

To capture HTTP_X_FORWARDED_FOR in your Apache access logs, all you need to do is modify the LogFormat directive from:

LogFormat "%h %l %u %t "%r" %>s %b" common

to:

LogFormat "%h %l %u %t "%r" %>s %b %{X-Forwarded-For}i" common

This will result in:

10.1.1.2 - - [14/Dec/2011:10:58:01 -0500] "GET / HTTP/1.1" 200 2629 69.89.31.122

where the first IP address is the internal VIP of the forwarding load balancer and the last is the actual client address on the Internet.