CODEWITHSUNDEEP
regexapacheloggingpcre
Konstantin
Konstantin

Reputation: 344

Apache conditional logging regex (pcre)

I have the following for conditional:

SetEnvIf X-Forwarded-For ".*, (.+)$" log-format-combinedio-xff-multiple-ips XFF-LAST-IP=$1
SetEnvIf X-Forwarded-For "[^,]+" log-format-combinedio-xff-single-ip
SetEnvIf X-Forwarded-For "^$" log-format-combinedio
CustomLog "|/usr/bin/rotatelogs -f /var/log/apache2/access_log.%Y%m%d%H%M%S 604800" combinedio-xff-multiple-ips env=log-format-combinedio-xff-multiple-ips
CustomLog "|/usr/bin/rotatelogs -f /var/log/apache2/access_log.%Y%m%d%H%M%S 604800" combinedio-xff-single-ip env=log-format-combinedio-xff-single-ip
CustomLog "|/usr/bin/rotatelogs -f /var/log/apache2/access_log.%Y%m%d%H%M%S 604800" combinedio env=log-format-combinedio

However, when I send a request with the X-Forwarded-For header set to a comma-separated list of IPs (more than one) it sets BOTH enivronment variables log-format-combinedio-xff-multiple-ips and log-format-combinedio-xff-single-ip and so I get it logged twice.

Any ideas how to fix this?

Upvotes: 0

Views: 339

Answers (2)

Konstantin
Konstantin

Reputation: 344

Ok I figured it out and posting here in case it helps anyone else:

The regex for the second SetEnvIfshould be:

SetEnvIf X-Forwarded-For "^[^,]+$" log-format-combinedio-xff-single-ip

This will basically only match strings that DO NOT have a comma in them (as in a single IP).

So the full solution is something like this:

SetEnvIf X-Forwarded-For ".*, (.+)$" log-format-combinedio-xff-multiple-ips XFF-LAST-IP=$1
SetEnvIf X-Forwarded-For "^[^,]+$" log-format-combinedio-xff-single-ip
SetEnvIf X-Forwarded-For "^$" log-format-combinedio
CustomLog "|/usr/bin/rotatelogs -f /var/log/apache2/access_log.%Y%m%d%H%M%S 604800" combinedio-xff-multiple-ips env=log-format-combinedio-xff-multiple-ips
CustomLog "|/usr/bin/rotatelogs -f /var/log/apache2/access_log.%Y%m%d%H%M%S 604800" combinedio-xff-single-ip env=log-format-combinedio-xff-single-ip
CustomLog "|/usr/bin/rotatelogs -f /var/log/apache2/access_log.%Y%m%d%H%M%S 604800" combinedio env=log-format-combinedio

Upvotes: 0

omijn
omijn

Reputation: 656

In the second condition (to match a single IP), if you add a check for the beginning (^) and end ($) of the string to create the following regex, it won't match multiple comma separated values.

^[^,]+$

It means: from the beginning to the end of the string, match a sequence of non-comma characters.

Upvotes: 1

Related Questions