Wednesday, February 6, 2013

Show Real IP in Apache Access Log (CDN)

Recently we have got some DDoS attacks on our FIREWALL and we want to find out the Source IP from where we were getting these attacks. 

Since we are using CDN(Content Delivery Network) and maximum of static contents are being served from CDN. So we will not be able get source IPs in our logs and we need to see the real IP to make sure we can do some log processing accurately.
The Level3 CDN basically working like example below:

Level 3 Edge Server will work as the reverse-proxy to cache the website contents from requests they received on their edge servers anywhere around the world. This will speed up the website loading page and decrease the server load of the web server. The only problem of this implementation is that you can only seen Level3,s IP connecting to your web server.

As the web server has no information about the source IP unless the edge server (CDN provider) gives it a header on the HTTP request to specify it. Then we have asked LEVEL3 to verify if they are sending a header like this. TRUE-CLIENT-IP is a header that is send on LEVEL3’s network.
Once we come to know the header (if exists) that is sent by level3 then we have added below LogFormat to our httpd.conf file.
  If want to implement this for particular domain, then implement this on that particular domain.
LogFormat "%{TRUE-CLIENT-IP}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 After this you need to restart Web-Server to make changes effective.This will result that each line in your access log will now begin with the TRUE-CLIENT-IP. (Of course replace TRUE-CLIENT-IP with the header that is sent on level3 network.
Hope this will help!!