https://halfface.se/wiki/index.php?action=history&feed=atom&title=ApacheApache - Revision history2026-04-19T07:27:02ZRevision history for this page on the wikiMediaWiki 1.43.1https://halfface.se/wiki/index.php?title=Apache&diff=13107&oldid=prevEkaanbj: /* POST logging mod_security */2019-01-24T13:52:46Z<p><span class="autocomment">POST logging mod_security</span></p>
<p><b>New page</b></p><div>=Documentation=<br />
<br />
http://httpd.apache.org/docs/2.3/mod/core.html<br />
<br />
=proxy=<br />
<br />
The idea is to receive all incoming requests on a single HTTP server. This server, using mod_proxy and mod_rewrite, will route requests to X backend servers, acting as a reverse proxy. This can be done very simply once mod_proxy is installed, by adding lines such as:<br />
<br />
RewriteEngine on<br />
RewriteRule ^t(.*)$ http://somewhere.com/ [P,L]<br />
<br />
This would route all requests starting with a t to the site somewhere.com and present its contents to the user as if delivered by the front server.<br />
=who is hammering my apache?=<br />
sudo perl -e '$ip{(split)[0]}++ while <>; print map "$_ : $ip{$_}\n", sort {$ip{$b} <=> $ip{$a}} keys %ip' /var/log/httpd/halfface.se.access.log<br />
=POST logging mod_security=<br />
yum install mod_security<br />
/etc/httpd/conf.d/mod_security.conf.bak3 <br />
LoadModule security2_module modules/mod_security2.so<br />
<IfModule !mod_unique_id.c><br />
LoadModule unique_id_module modules/mod_unique_id.so<br />
</IfModule><br />
<IfModule mod_security2.c><br />
SecRuleEngine On<br />
SecAuditEngine on<br />
SecAuditLog /var/log/httpd/modsec_audit.log<br />
SecRequestBodyAccess on<br />
SecResponseBodyAccess on<br />
SecUploadKeepFiles On<br />
SecUploadDir /var/log/httpd/files<br />
SecAuditLogParts ABCEIFGHZ<br />
SecDefaultAction "nolog,noauditlog,allow,phase:2"<br />
SecRule REQUEST_METHOD "POST" "id:1000,phase:2,ctl:auditEngine=On,nolog,pass"<br />
</IfModule><br />
<br />
=POST logging mod_dumpio=<br />
/etc/httpd/conf.d/mod_dumpio.conf.bak <br />
LoadModule dumpio_module modules/mod_dumpio.so<br />
<IfModule dumpio_module><br />
DumpIOInput On<br />
DumpIOOutput On<br />
# DumpIOLogLevel debug<br />
LogLevel debug<br />
</IfModule><br />
<br />
=apachectl=<br />
Verify apache config file.<br />
apachectl -S -f /etc/httpd/conf/httpd.conf<br />
<br />
=Is module loaded=<br />
apachectl -t -D DUMP_MODULES 2>&1 | grep -i dumpio<br />
=logging=<br />
Format examples. Both mean same thing.<br />
# CustomLog with format nickname<br />
LogFormat "%h %l %u %t \"%r\" %>s %b" common<br />
CustomLog "logs/access_log" common<br />
<br />
# CustomLog with explicit format string<br />
CustomLog "logs/access_log" "%h %l %u %t \"%r\" %>s %b"<br />
One line explained.<br />
LogFormat "%{X-Forwarded-For}i %h %u %t \"%r\" %>s %b %D %P %X \"%{Referer}i\" \"%{User-Agent}i\"" combined<br />
CustomLog logs/api-access_log combined<br />
Example<br />
146.192.224.227, 10.199.85.25 10.199.85.25 - [22/Sep/2018:00:47:23 +0000] "GET /blabla. HTTP/1.1" 200 6008 343783 13792 - "-" "curl/7.38.0"<br />
X-Forwarded for, Remote hostname user Time "First line of request" final_status size_response time_serve_millis Process Connection_status "Referer" "user_agent"<br />
Variables described.<br />
%{X-Forwared-For}i=The contents of X-Forwared-For: header line<br />
%h=Remote hostname.<br />
%u=Remote user<br />
%t=Time the request was received<br />
%r=First line of request<br />
%>s=final status.<br />
%b=Size of response in bytes<br />
%D=The time taken to serve the request, in microseconds.<br />
%P=The process ID of the child that serviced the request.<br />
%X Connection status when response is completed:<br />
X=Connection aborted before the response completed.<br />
+=Connection may be kept alive after the response is sent.<br />
-=Connection will be closed after the response is sent.<br />
%{Referer}i=The contents of User-Agent: header line<br />
%{User-Agent}i=The contents of User-Agent: header line<br />
<br />
[[Category:Applications]]<br />
[[Category:Unix]]<br />
[[Category:Web]]</div>Ekaanbj