search

eldy / AWStats

AWStats Log Analyzer project (official sources)
https://www.awstats.org
370 stars 120 forks source link

IPv6 module error when parsing hosts with commas #95

Closed sumdog closed 6 years ago

sumdog commented 6 years ago

I started seeing the following when running awstats to parse logs:

Can't call method "reverse_ip" on an undefined value at /usr/share/awstats/plugins/ipv6.pm line 62, <LOG> line 39916.

I was on a Ubuntu docker image running awstats v7.4, so I updated to ubuntu:artsy so I could get awstats 7.6 (specifically AWStats version 7.6 (build 20161204)) and got the same error. The problem comes from lines like the following:

65.215.163.8, ::ffff:104.129.200.79 - - [09/Mar/2018:15:59:04 +0000] "GET /RVM.version HTTP/1.1" 200 33 "-" "-"
65.215.163.8, ::ffff:104.129.200.79 - - [09/Mar/2018:17:57:56 +0000] "GET /RVM.version HTTP/1.1" 200 33 "-" "-"

Is the common log format suppose to allow for separating out hosts and their proxies with commas? I've got the following in my awstats configuration:

LogType=W
LogFormat=1
LogSeparator=" "

My HAProxy is setting up an X-Forwarded-For header by using the following option:

    # Add x-forwarded-for header.
    option forwardfor

...and nginx seems to be passing it on straight through using the following log format:

  log_format main '$http_x_forwarded_for - $remote_user [$time_local] '
    '"$request" $status $body_bytes_sent "$http_referer" '
    '"$http_user_agent"';

Is this a bug in awstats (should it be able to handle those source addresses that are separated by a comma and a space) or should haproxy not be reporting x-forwarded-for in that format?

avian2 commented 6 years ago

I'm pretty sure you need to have only one IP address in the first field of your log format in order for awstats to understand it. No commas or spaces.

If you have two different fields separated by a space (for example client IP and a proxy IP), then you should use something like LogFormat="%host %other <rest of the fields here>" in your awstats.conf.

sumdog commented 6 years ago

You're right, this isn't really an awstats issue, and it's actually good it fails here rather than discarding bad log entries.

For future reference for others who experience this issue hand happen to be using HAProxy, I fixed it by adding the following to my HAProxy frontend:

http-request set-header X-Forwarded-For %[src]

and removing the following from the default section:

option forwardfor

That replaces the X-Forwarded-For header instead of appending a second one.