Apache and F5’s

Everyone who uses any type of reverse proxy runs into this issue.  The original user IP address is lost when the proxy is used.  F5 and most proxy vendors have implements an additional header that contains the original source ip for usage known as the X-Forwarded-For Header.   You have to train your apache logs to look at this or your logs show the wrong IP.   This does present a problem that if someone goes directly the webserver the logs don’t show their ip address.  I ran across this little trick to display the correct IP either way just place this in your apache configuration replacing other log configuration.


httpd.conf in LogFormat section

LogFormat “%{X-Forwarded-For}i %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” proxy

SetEnvIf X-Forwarded-For “^.*\..*\..*\..*” forwarded

Then in your virtual host or host entry use the following

CustomLog “logs/ssl_access_log” combined env=!forwarded

CustomLog “logs/ssl_access_log” proxy env=forwarded




Apache logs how to count number of hits per IP

So I get this a lot… Want to figure out of if you have a DDoS going on… the best way is the apache logs.  Use this code to count and sort by IP:


cut -f1 -d ” ” access_log | sort | uniq -c


Just replace access_log with your log name.

More complex you can also try :


awk ‘{!a[$1]++}END{for(i in a) if ( a[i] >10 ) print a[i],i }’


Apache count number of hits per ip in your logs

Have you ever wanted to know if a specific ip address is hitting your web server too much?


It’s simple assuming your logs are in /var/log/httpd (redhat) do the following


cat access_log | awk ‘{print $1}’ | sort | uniq -c


It will output a list like this:



Apache Count number of unique ip’s

So you want to know how many different ip’s have been hitting your apache server?


It’s simple to do first locate your logs normally in /var/log/httpd/access_log (redhat)


Look at the log and identify which field is the ip address in ours it’s the first entry so we will use $1 (if it’s the second replace with $2)


cat /var/log/httpd/access_log | awk ‘{print $1}’ | sort | uniq | wc -l


This will output a count of unique hits.  You can also get a list with:

cat /var/log/httpd/access_log | awk ‘{print $1}’ | sort | uniq