My Apache server is behind a firewall with a NAT translation. The problem I'm having is that I want to see who is actually making the request instead of my firewall's address. It's nice to know that the firewall is working, but to really look at traffic patterns I need to see the real world IP address.
UPDATE
Firewall is a CentOS 5.2 box using iptable rules created by fwbuilder.
iptables reponds to requests on all interfaces, Squid is running on internal facing interfaces only.
Best Answer
I've seen this with proxy servers and load balancers. The usual case is that inbound traffic crosses the proxy to get to the Web server, but the Web server's default gateway is something other than the proxy. By doing reverse NAT, the Web server gets the proxy's IP instead of the client's. Since it will have a route to the proxy (and in fact is probably in the same subnet), is assured that it can always get return traffic back to the client.
One fix for this is for the proxy to insert a custom HTTP header containing the client's real IP into the HTTP request that the Web server can parse. For Apache, it becomes a simple problem of modifying your
LogFormatstatement to use%{Custom-Header}instead of%h. Of course, this depends on your device actually being HTTP aware and being capable of inserting arbitrary headers into GET/POST/etc. requests. It's a common feature for proxies and load balancers, but not so much for firewalls. Additionally, unless your device is doing SSL termination, it won't help you for HTTPS requests. As Kyle said, we need to know more about your firewall.