When you run a webserver behind a reverse proxy or HTTP accelerator like Squid or Varnish, or as I do HAProxy, the webserver access logs will display the IP of the proxy (generally the proxy IP) instead of the end user’s IP. This breaks any kind of tracking or reporting, but it also creates a security hole.
An example of a log before the change:
192.168.122.2 - - [07/Feb/2012:23:36:57 +0100] "HEAD / HTTP/1.0" 200 0 "-" "-" 192.168.122.2 - - [07/Feb/2012:23:37:00 +0100] "HEAD / HTTP/1.0" 200 0 "-" "-"
My webmail testcluster runs HAProxy in front of Lighttpd, and it reveals the end user’s IP in the header as X-Forwarded-For, so it’s just a matter of making Lighttpd (lighty) use that variable in its access logs instead of the default variable defining the referring IP. Once we know that, the configuration is simple; in lighttpd.conf, enter this:
accesslog.format = "%{X-Forwarded-For}i %l %u %t "%r" %>s %b /
"%{Referer}i" "%{User-Agent}i""
After a restart of lighty, the log will look like this:
83.160.xxx.xxx - - [07/Feb/2012:23:48:09 +0100] "GET / HTTP/1.1" 200 51829 /
For more explanation on these variables, and plenty more, hit Lighty’s wiki.
Props to the poster on the Varnish mailing list!