How to Log the Client’s Remote Port in Access Logs (for CGN Compliance)

You are here:
  • BitNinja home
  • How to Log the Client’s Remote Port in Access Logs (for CGN Compliance)
Estimated reading time: 1 min
In this article

In response to new European Carrier-Grade NAT (CGN) regulations, some hosting environments may require logging the client’s remote port alongside the IP address. This guide outlines how to make that possible in BitNinja’s environment using WAF and custom logging.

Why Is This Needed?

Due to European Union requirements (such as Europol’s initiative on CGN), some hosting providers must log both:

  • The client’s IP address
  • The source (remote) port

This helps trace connections back to individual users behind NAT.

BitNinja’s Support for Client Port Logging

Starting from BitNinja Agent version 2.12.3, a new header has been introduced:

BN-Client-Port

This header is injected into requests by BitNinja’s SSL termination layer (HAProxy frontend) and is preserved through the WAF. It allows backend servers (Apache/Nginx) to log the original client’s port.

How to Log the Client Port

For Nginx:

  1. Open your Nginx configuration (e.g., /etc/nginx/nginx.conf).
  2. Add or modify a log_format block:

log_format combined_with_port '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'client_port: $http_bn_client_port';

  1. Apply the log format to your access log:

access_log /var/log/nginx/access.log combined_with_port;

  1. Reload Nginx:

sudo systemctl reload nginx

For Apache:

  1. Open your Apache config (or virtual host file).
  2. Add a custom LogFormat:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" client_port: %{BN-Client-Port}i" combined_with_port

  1. Apply it to your VirtualHost:

CustomLog /var/log/apache2/access.log combined_with_port

  1. Reload Apache:

sudo systemctl reload apache2

Where Is the Client Port Logged in BitNinja?

As of Agent version 2.12.3, the client port is also logged in:

/var/log/bitninja-waf/access.log

How to Test

  1. Send a request through a BitNinja-protected endpoint.
  2. Check your web server access log for entries containing client_port:.
  3. You should see the remote port value logged based on the BN-Client-Port header.

Need Help?

If you run into issues or your logs don’t show the port, please contact BitNinja support at info@bitninja.io for assistance.

Was this article helpful?
It was not helpful
Views: 15