4

Is there any way I can view the hostnames used by incoming traffic that is accepted by my apache webserver?

For example, say the webserver is set up to process incoming traffic for an IP address, but there are several host names the webserver can accept, such as:

www.mydomain.com mydomain.com myotherdomain.com etc.

I need to see the hostnames that others are using to enter my webserver successfully.

The reason is I have some software that auto-generates some traffic going to my webserver, and I need to know the hostname it is using so that I can correctly setup Apache's httpd.conf file's virtual hosts to receive it correctly.

Can tcpdump be configured to look into the web traffic and extract this hostname? Or wireshark? In all the examples I see, including Apache's access_log file, there's only IP address, not hostnames. However, I need the hostname information for httpd.conf's VirtualHost stuff. Hope that makes sense.

gkdsp
  • 582
  • 1
  • 6
  • 19

1 Answers1

7

You can configure a custom log format for access logging which will include this information.

Adjust your existing logging directives as needed, but you'll want something like this:

LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined_with_access_host
CustomLog /var/log/wherever-you-put-it/access_log combined_with_access_host

That will write the received HTTP Host header into the start of the line - and if it's blank, then the line will instead start with a space.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Thanks Shane. Here's what I've done: LogFormat "%{Host}i %h %l %u %t \%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined --next line -- CustomLog logs/access_log combined, and the output still has IP address as first entry. Here's an example access_log output when I visit one of my websites: xx.xxx.xxx.196 xx.xx.x.58 - - [18/Feb/2012:15:43:54 -0800] "GET / HTTP/1.0" 200 111 "-" "check_http/1.81 (nagios-plugins 1.4.2)". I had entered into a browser, http://mydomain.com/mywebpage.html, and would like to see the log file start with: mydomain.com (as an example) – gkdsp Feb 18 '12 at 23:44
  • I just tried the software application (Adobe Flashbuilder) that trys to access my website that I'm trying to figure out what hostname it's using, and here's the output (looks like unknowns log as a dash - rather than a space): - xx.xxx.xxx.163 - - [18/Feb/2012:15:47:01 -0800] "GET /mywebapp2/flex_wizard_project_test_script_server_532094996082353987.htm HTTP/1.0" 404 2314 "-" "-" – gkdsp Feb 18 '12 at 23:50
  • It's working correctly. You've pasted a log line from a nagios check plugin, not a browser - seems that it's sending that IP address as the host header. And the Adobe one is `HTTP/1.0` - it's not sending a host header at all. – Shane Madden Feb 18 '12 at 23:51
  • After doing some research, it appears HTTP/1.0 doesn't require a client browser to include host header, although it can include one and it seems most browsers do. http://httpd.apache.org/docs/2.2/vhosts/name-based.html – gkdsp Feb 19 '12 at 00:43