Archive for the ‘Monitoring’ Category

Linux : Apache X-Forwarded-For logs for Incapsula WAF

Monday, September 30th, 2013

Incapsula has an excellent managed web application firewall product that far exceeds what is possible with F5 ASM, Riverbed etc. Why? you may ask. The answer is simple, by having a huge number of web sites that they monitor they can see trends and attacks faster than it can take for a vendor to identify a threat, package an updated signature and pack it up so that customers can download it. The automated and scalable nature of Incapsula firmly puts it ahead of any dedicated Web Application Firewall solution in terms of time to resolve critical security  problems. The distributed anycast nature also allows the service to sustain massive traffic bursts without a problem.. something that would not be possible with a local dedicated F5 or similar appliance.

One of the drawbacks of the Incapsula solution is that it is a proxy based system. That means that it needs to send the client header through as a HTTP X-Forwarded-For which means that the standard apache logging will not suffice in getting you the right data for your analytics of Geo-location IP blocking. However that is very easily fixed. I found the solution here

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "/path-to-logs/access_log" combined env=!forwarded
CustomLog "/path-to-logs/access_log" proxy env=forwarded

The solution is simple and the description on the above supporting page is much more concise than what I will type here..