How to log X-Forwarded-For IP in Apache

When using Apache behind a reverse proxy or load balancer, the server often sees only the proxy’s IP address instead of the real client IP. The X-Forwarded-For header addresses this by carrying the original client IP through each proxy layer. Logging this header keeps records accurate and reveals the true source of each request.

Including the X-Forwarded-For header in Apache access logs requires small adjustments to the LogFormat directive. Inserting the correct header variable ensures that log entries capture the genuine client IP, even behind multiple proxies.

Accurate IP information is essential for security audits, usage analysis, and troubleshooting. Recording the real client IP through the X-Forwarded-For header provides valuable insight into the origin of web traffic without altering the underlying proxy or load balancer configuration.

Steps to log X-Forwarded-For IP in Apache:

Open the Apache configuration file for editing.
```
$ sudo nano /etc/apache2/apache2.conf
```
Location might vary depending on your OS and Apache installation.
Locate the LogFormat directives in the configuration file.
Modify an existing LogFormat or create a new one to include the X-Forwarded-For header.
```
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "%{X-Forwarded-For}i"" combined
```
Add the expression %{X-Forwarded-For}i to the log format string. This expression tells Apache to capture and log the value of the X-Forwarded-For header for each request. Including this header in the log format ensures that the original client IP address is recorded in the access logs.
Update the CustomLog directive to use the modified or new log format.
```
CustomLog ${APACHE_LOG_DIR}/access.log combined
```
Save the changes to the configuration file.
Reload or restart the Apache service to apply the changes.
```
$ sudo systemctl reload apache2
```
Command may vary based on your operating system and Apache version. It's generally a good idea to use reload instead of restart to apply configuration changes without dropping connections.
Verify that the Apache logs are capturing the X-Forwarded-For IP addresses by checking the access logs.
```
$ tail /var/log/apache2/access.log
```
Check the last lines of the log file to see recent access records and verify if X-Forwarded-For IP is correctly logged.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.