tech-notes

Parsing Caddy Logs to get IP and ASN Analytics (including Cloudflare-proxied)

A powerful Python utility for analyzing Caddy web server logs to summarize IP addresses and ASN information from requests.

Pablo González Troyano

2 min read
Parsing Caddy Logs to get IP and ASN Analytics (including Cloudflare-proxied)

Inspired by this post by Anarcat, I've developed a Python script to parse Caddy (a web server and reverse proxy) logs to get information about the top IP and ASN visiting the sites behind Caddy.

Traffic meter per ASN without logs
anarcat
anarcat

This tool analyzes Caddy web server logs to:

  1. Extract client IP addresses (handling both direct connections and Cloudflare-proxied requests)
  2. Count request frequency per IP address
  3. Look up ASN (Autonomous System Number) information for each IP
  4. Generate summaries and statistics about traffic patterns
  5. Export data to JSON for further analysis
  6. Load previously saved data for review without reprocessing logs

Python script code

The key difference with other similar tools is that it allows you to see the real visitor IP behind Cloudflare (using X-Forwarded-For header) when present, instead of the base client_ip present on Caddy Logs

The Python script is published on Github, below I detail the features:

GitHub - gonzaleztroyano/asn-counters-caddy: A powerful Python utility for analyzing Caddy web server logs to summarize IP addresses and ASN information from requests.
A powerful Python utility for analyzing Caddy web server logs to summarize IP addresses and ASN information from requests. - gonzaleztroyano/asn-counters-caddy
GitHubgonzaleztroyano

Features

  • IP Detection Logic:

    • Extracts original client IPs from Cloudflare X-Forwarded-For headers
    • Uses remote_ip for direct connections
    • Handles both IPv4 and IPv6 addresses

  • ASN Lookup:

    • Identifies the network/organization behind each IP address
    • Uses MaxMind MMDB format databases (compatible with GeoIP2, IPinfo, DB-IP)
    • Shows ASN numbers and organization names

  • Multiple Input Options:

    • Process individual log files
    • Process multiple log files at once
    • Use glob patterns to match logs (e.g., logs/caddy-2025-*.log)
    • Read from stdin for piped input
    • Support for compressed (.gz) log files

  • Data Management:

    • Save results to JSON files for later analysis
    • Load previously saved data without reprocessing logs
    • Append new data to existing analysis
    • Overwrite existing files with new results

  • Analysis Output:

    • Shows top N IPs by request count (customizable)
    • Shows top N ASNs by request count
    • Provides percentage statistics for ASNs
    • Formatted tables for easy reading

Any doubts?

Do not hesitate to contact me with any questions, suggestions, complaints or clarifications you may have, I'll be happy to talk to you!

Recibe novedades en tu bandeja de entrada 😁.

Introduce tu email
¡Suscríbete!