By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I capture client IP addresses in the web server logs behind an elastic load balancer?

6 minute read
1

I use Elastic Load Balancing (ELB) for my web server and see my load balancer's IP address in the web server access logs. I want to capture client IP addresses instead.

Short description

Your web server access logs capture the IP address of your load balancer because the load balancer establishes the connection to your instances. To capture the IP addresses of clients in your web server access logs, configure the following:

Resolution

Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners (Apache)

To add the X-Forwarded-For HTTP header and configure your web server access logs, complete the following steps:

  1. Use a text editor to open your Apache configuration file. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL, or /etc/apache2/apache2.conf for Ubuntu.

  2. In the LogFormat section, add %{X-Forwarded-For}i, as following example shows:

    ...    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        ...
  3. Save your changes.

  4. Reload the Apache service. Based on your system, run one of the following commands:

    Sysvinit, Debian-based systems (such as Ubuntu) and SUSE (such as SLES11)

    # /etc/init.d/apache2 reload

    Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE

    # /etc/init.d/httpd reload

    Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12)

    # systemctl reload apache2

    RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE

    # systemctl reload httpd
  5. Open your Apache web server access logs. The location varies by configuration.

  6. Verify that client IP addresses are now recorded under the X-Forwarded-For header.

Application Load Balancers and Classic Load Balancers with HTTP/HTTPS Listeners (NGINX)

To add the X-Forwarded-For HTTP header and configure your web server access logs, complete the following steps:

  1. Use a text editor to open your NGINX configuration file. The location is typically /etc/nginx/nginx.conf.

  2. In the LogFormat section, add $http_x_forwarded_for, as the following example shows:

    http {    ...
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
        access_log  /var/log/nginx/access.log  main;
        ...
    }
  3. Save your changes.

  4. Reload the NGINX service. For Amazon Linux 2 or RHEL, run the following command:

    systemctl reload nginx

    Note: The command to reload the NGINX service is different on other systems. The commands to reload NGINX are similar to the commands to reload the Apache service in the previous section.

  5. Open your NGINX web server access logs. The location varies by configuration.

  6. Verify that client IP addresses are now recorded under the X-Forwarded-For header.

Classic Load Balancers with TCP/SSL Listeners (Apache)

To configure proxy protocol support, complete the following steps:

  1. Use a text editor to open your Apache configuration file. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL, or /etc/apache2/apache2.conf for Ubuntu.

  2. Make sure that your Apache configuration loads the module mod_remoteip (available for Apache version 2.4.31 and newer). For more information, see Apache Module mod_remoteip on the Apache website. This module includes the RemoteIPProxyProtocol directive, see RemoteIPProxyProtocol Directive on the Apache website. In your configuration file, check for a line that's similar to one of the following:

    Amazon Linux or RHEL

    LoadModule remoteip_module modules/mod_remoteip.so

    Ubuntu

    LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
  3. To confirm that the mod_remoteip module loads, run the following command:

    $ sudo apachectl -t -D DUMP_MODULES | grep -i remoteip
  4. Review the output and verify that the output contains a line that's similar to the following:

    remoteip_module (shared)

    Important: If the output doesn't contain this line, then the module isn't included or loaded in your configuration. Make sure that you activate the module before you proceed.

  5. To activate proxy protocol support, add the following line to your Apache configuration file:

    RemoteIPProxyProtocol On
  6. Edit the LogFormat section of the configuration file to capture the remote IP address (%a) and the remote port (%{remote}p:):

    LogFormat "%h %p %a %{remote}p %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  7. Save your changes.

  8. Reload the Apache service. Based on your system, run one of the following commands:

    Sysvinit, Debian-based systems (such as Ubuntu), and SUSE (such as SLES11)

    # /etc/init.d/apache2 reload

    Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE

    # /etc/init.d/httpd reload

    Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12)

    # systemctl reload apache2

    Systemd, RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE

    # systemctl reload httpd
  9. Open the Apache web server access logs. The location varies by configuration.

  10. Verify that client IP addresses are now recorded under the Proxy Protocol header.

  11. Activate support for proxy protocol in your target application.

Classic Load Balancers with TCP/SSL Listeners (NGINX)

To configure proxy protocol support, complete the following steps:

  1. Use a text editor to open the NGINX configuration file. The location is typically /etc/nginx/nginx.conf.

  2. Update the listen line of the server section to proxy_protocol. Update the log_format line of the http section to set the proxy_protocol_addr:

    http {    ...
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$proxy_protocol_addr"';
     
        access_log  /var/log/nginx/access.log  main;
        ...
    }
    server {
            ...
            listen  80  default_server proxy_protocol;
            ...
            }
    ...
    }
  3. Save your changes.

  4. Reload the NGINX service. For Amazon Linux 2 or RHEL, run the following command:

    systemctl reload nginx

    Note: The command to reload the NGINX service is different on other systems. The commands to reload NGINX are similar to the commands to reload the Apache service in the previous section.

  5. Open the NGINX web server access logs. The location varies by configuration.

  6. Verify that client IP addresses are now recorded under the Proxy Protocol header.

  7. Activate support for proxy protocol in your target application.

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago