As the subject says, I see entries like these in my raw access logs of apache:
XXX.XXX.XXX.195 - - [07/Jan/2022:11:12:45 +0200] "GET /index.php HTTP/1.1" 200 9487 "https://www.my_domain.com/index.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"
XXX.XXX.XXX.195 - - [03/Feb/2022:16:29:23 +0200] "GET /contact.php HTTP/1.1" 200 10057 "https://www.my_domain.com/contact.php" "Mozilla/5.0 (Linux; Android 11; SM-A515F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87 Mobile Safari/537.36"
etc etc
But XXX.XXX.XXX.195 = my server's IP address and it is showing this, instead of the client's IP.
From the apache documentation:
This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. However, this configuration is not recommended since it can significantly slow the server. Instead, it is best to use a log post-processor such as logresolve to determine the hostnames. The IP address reported here is not necessarily the address of the machine at which the user is sitting. If a proxy server exists between the user and the server, this address will be the address of the proxy, rather than the originating machine.
There is no proxy running on my server and this is only 10-20 hits out of thousands every day and I am wondering why this might happen.
Apache LogFormat: see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats
If you use a local proxy ( apache/nginx for a nodjs sever for example), you need to check the x-forwarded-for and x-forwarded-host HTTP headers
Please post your complete Logformat setting in use.