I am currently running Varnish as a reverse proxy in front of our development website, testing before deployment into production. One of the things I've had to come to grips with is logging: in a direct access world, Apache logs the client IP address to access_log and error_log. This is slightly less useful when every client connection is from our Varnish box.
I've done some customization with SetEnvIf and LogFormat, and now our access_log intelligently logs the appropriate IP from REMOTE_HOST or X-Forwarded-For, depending on the source of the incoming connection. This doesn't do anything for error_log though. As far as I can tell, I can't override the client IP in this log.
So, what are your solutions for logging in a reverse proxy world? Should I pretty much write off the standard Apache logging and focus my efforts somewhere else, ie. in code? I am interested in both usage statistics and security auditing here.
Best Answer
Tip:
mod_rpaf - rpaf is short for reverse proxy add forward.
It changes the remote address of the client visible to other Apache modules when two conditions are satisfied. First condition is that the remote client is actually a proxy that is defined in httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in its list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure.
http://stderr.net/apache/rpaf/