How to log HTTP_HOST in apache logs on machines with many hostnames

By , July 30, 2015

Sometimes you find yourself operating web servers that handle many many hostnames, but they do not correlate to separate virtual hosts for each hostname.

Examples:

  • URL Forwarders
  • URL shorteners
  • “Parked” pages (“This domain coming soon!”)
  • PPC platforms
  • Expired domain aggregators

You end up in a situation where a lot of domains are all coming through the same host config and ordinarily unless you are trapping for it in your code somewhere (“HTTP_HOST” environment variable) you wouldn’t know which requests are for which hostnames. Most of the time, you may not care.

Then the DDOS hits, or some other event where it suddenly becomes very important, urgent even, to know which hostname is causing all the problems so that you can pull the plug on it / reroute it someplace else or somehow put out the fire.

It’s easily done by simply modifying the relevant Logformat in your apache config to include the HTTP_HOST variable in your logging:

Step 1) Look at your apache’s virtualhost config to see which log format you are using (i.e. /etc/apache2/sites-enabled/000-default):

$ less /etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www
            [ snip ]
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Step 2) Find the LogFormat directive in your apache.conf file file that ends with the same format identifier that the CustomLog line in your VirtualHost ends with (above).

LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i" [%{HTTP_HOST}e]" combined

Step 3) Enter the environment variable you want to include in the line in the format:

%{ENV_VARIABLE}e

I like to surround HTTP_HOST with square brackets and append it to the line (by appending it I’m hoping it won’t break any log parsers that may already be analyzing those logs:

LogFormat "%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i" [%{HTTP_HOST}e]" combined

Then you simply restart apache and you’ll see your logs now append the HTTP_HOST  header that was sent by the client. Look at these logs during your next DDoS (if you can get into the machine) and it should become readily apparent who the DDoS target is.

Further Reading

Comments are closed