How do I capture client IP addresses in the web server logs behind an elastic load balancer?
I use Elastic Load Balancing (ELB) for my web server and see my load balancer's IP address in the web server access logs. I want to capture client IP addresses instead.
Short description
Your web server access logs capture the IP address of your load balancer because the load balancer establishes the connection to your instances. To capture the IP addresses of clients in your web server access logs, configure the following:
- For Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners, add the X-Forwarded-For HTTP header to capture client IP addresses. You can then configure your web server access logs to record these IP addresses.
- For Classic Load Balancers with TCP/SSL listeners, configure proxy protocol support on the Classic Load Balancer and the target application.
- For Network Load Balancers, register your targets by instance ID to capture client IP addresses without additional web server configuration. For instructions, see Target group attributes.
- For Network Load Balancers when you can register only IP addresses as targets, activate proxy protocol version 2 on the load balancer. For instructions, see Activate proxy protocol.
Resolution
Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners (Apache)
To add the X-Forwarded-For HTTP header and configure your web server access logs, complete the following steps:
-
Use a text editor to open your Apache configuration file. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL, or /etc/apache2/apache2.conf for Ubuntu.
-
In the LogFormat section, add %{X-Forwarded-For}i, as following example shows:
... LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common ...
-
Save your changes.
-
Reload the Apache service. Based on your system, run one of the following commands:
Sysvinit, Debian-based systems (such as Ubuntu) and SUSE (such as SLES11)
# /etc/init.d/apache2 reload
Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE
# /etc/init.d/httpd reload
Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12)
# systemctl reload apache2
RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE
# systemctl reload httpd
-
Open your Apache web server access logs. The location varies by configuration.
-
Verify that client IP addresses are now recorded under the X-Forwarded-For header.
Application Load Balancers and Classic Load Balancers with HTTP/HTTPS Listeners (NGINX)
To add the X-Forwarded-For HTTP header and configure your web server access logs, complete the following steps:
-
Use a text editor to open your NGINX configuration file. The location is typically /etc/nginx/nginx.conf.
-
In the LogFormat section, add $http_x_forwarded_for, as the following example shows:
http { ... log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; ... }
-
Save your changes.
-
Reload the NGINX service. For Amazon Linux 2 or RHEL, run the following command:
systemctl reload nginx
Note: The command to reload the NGINX service is different on other systems. The commands to reload NGINX are similar to the commands to reload the Apache service in the previous section.
-
Open your NGINX web server access logs. The location varies by configuration.
-
Verify that client IP addresses are now recorded under the X-Forwarded-For header.
Classic Load Balancers with TCP/SSL Listeners (Apache)
To configure proxy protocol support, complete the following steps:
-
Use a text editor to open your Apache configuration file. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL, or /etc/apache2/apache2.conf for Ubuntu.
-
Make sure that your Apache configuration loads the module mod_remoteip (available for Apache version 2.4.31 and newer). For more information, see Apache Module mod_remoteip on the Apache website. This module includes the RemoteIPProxyProtocol directive, see RemoteIPProxyProtocol Directive on the Apache website. In your configuration file, check for a line that's similar to one of the following:
Amazon Linux or RHEL
LoadModule remoteip_module modules/mod_remoteip.so
Ubuntu
LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
-
To confirm that the mod_remoteip module loads, run the following command:
$ sudo apachectl -t -D DUMP_MODULES | grep -i remoteip
-
Review the output and verify that the output contains a line that's similar to the following:
remoteip_module (shared)
Important: If the output doesn't contain this line, then the module isn't included or loaded in your configuration. Make sure that you activate the module before you proceed.
-
To activate proxy protocol support, add the following line to your Apache configuration file:
RemoteIPProxyProtocol On
-
Edit the LogFormat section of the configuration file to capture the remote IP address (%a) and the remote port (%{remote}p:):
LogFormat "%h %p %a %{remote}p %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-
Save your changes.
-
Reload the Apache service. Based on your system, run one of the following commands:
Sysvinit, Debian-based systems (such as Ubuntu), and SUSE (such as SLES11)
# /etc/init.d/apache2 reload
Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE
# /etc/init.d/httpd reload
Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12)
# systemctl reload apache2
Systemd, RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE
# systemctl reload httpd
-
Open the Apache web server access logs. The location varies by configuration.
-
Verify that client IP addresses are now recorded under the Proxy Protocol header.
-
Activate support for proxy protocol in your target application.
Classic Load Balancers with TCP/SSL Listeners (NGINX)
To configure proxy protocol support, complete the following steps:
-
Use a text editor to open the NGINX configuration file. The location is typically /etc/nginx/nginx.conf.
-
Update the listen line of the server section to proxy_protocol. Update the log_format line of the http section to set the proxy_protocol_addr:
http { ... log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$proxy_protocol_addr"'; access_log /var/log/nginx/access.log main; ... } server { ... listen 80 default_server proxy_protocol; ... } ... }
-
Save your changes.
-
Reload the NGINX service. For Amazon Linux 2 or RHEL, run the following command:
systemctl reload nginx
Note: The command to reload the NGINX service is different on other systems. The commands to reload NGINX are similar to the commands to reload the Apache service in the previous section.
-
Open the NGINX web server access logs. The location varies by configuration.
-
Verify that client IP addresses are now recorded under the Proxy Protocol header.
-
Activate support for proxy protocol in your target application.
Relevant content
- asked a year agolg...
- asked 4 years agolg...
- asked a year agolg...
- asked 4 years agolg...
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago