ENABLE LOGGING OF THE X-FORWARDED-FOR HEADER
LOGGING OF THE X-FORWARDED-FOR HEADER FOR BETTER SECURITY & ATTACK MITIGATION
In enterprise Adobe Experience Manager (AEM) environments, security and visibility are crucial, especially when responding to suspicious or malicious traffic patterns such as DoS or DDoS attacks. One common challenge DevOps teams face during such incidents is tracing the actual end-user IP address — especially when traffic is routed through load balancers, proxies, or CDNs. This is where the X-Forwarded-For (XFF) HTTP header becomes vital.
In this blog, we’ll explore how to properly log the X-Forwarded-For header in AEM Dispatcher (both Apache and IIS) and configure debugging for better traceability.
Why X-Forwarded-For Matters
Logging X-Forwarded-For in Apache HTTP Server (Dispatcher)
The dev-opes team , struggles to find the end user IP while working / troubleshooting the DOS, D-DOS attacks/issue.
To troubleshoot such issue first thing you need to do is , log the end user IP.
If you're using Apache as your Dispatcher web server, here’s how you can ensure client IP logging using the XFF header.
1- Modify Log Format
In the Apache HTTP Server's access_log, add this to the httpd.conf file in the dispatcher servers:
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
This format includes the XFF header alongside standard log data such as HTTP status, request time, user agent, and referrer
In Microsoft IIS add X-Forwarded-For in the "Advanced Logging" configuration.
That would log the correct end-user IP.
Use the output showing the IP and User-Agent to analyse whether it is a malicious attack and block the offending IPs if it makes sense.
2. SET DISPATCHER.LOG'S LOG LEVEL TO DEBUG:
Apache:
In the httpd configuration files there should be a section for the dispatcher.
Set DispatcherLogLevel to 3
DispatcherLogLevel 3
IIS:
Modify the dis_iis.ini and set the log level to 3:
loglevel=3
Validate Logs :
Once implemented, trigger a request via your load balancer and verify that the access_log
file reflects the actual end-user IP. This will make it easier to identify attack sources and filter or block abusive traffic.
Conclusion
Properly logging the X-Forwarded-For header is a small but critical step in enhancing AEM’s security posture. It allows security and DevOps teams to trace real client IPs during attacks, make informed blocking decisions, and audit activity effectively.
Coupled with the right Dispatcher log levels, XFF logging forms a vital part of your AEM hardening and monitoring strategy.
Comments
Post a Comment