How do I capture client IP addresses in the web server logs behind an ELB?

6 minute read
1

I'm using Elastic Load Balancing (ELB) for my web server, and I can see my load balancer's IP address in the web server access logs. How do I capture client IP addresses instead?

Short description

Your web server access logs capture the IP address of your load balancer because the load balancer establishes the connection to your instances. To capture the IP addresses of clients in your web server access logs, configure the following:

  • For Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners, the X-Forwarded-For HTTP header captures client IP addresses. You can then configure your web server access logs to record these IP addresses.
  • For Classic Load Balancers with TCP/SSL listeners, activate Proxy Protocol support on the Classic Load Balancer and the target application. Make sure to configure Proxy Protocol support on both the load balancer and the application.
  • For Network Load Balancers, register your targets by instance ID to capture client IP addresses without additional web server configuration. For instructions, see Target group attributes instead of the following resolutions.
  • For Network Load Balancers when you can register only IP addresses as targets, activate proxy protocol version 2 on the load balancer. For instructions, see Enable proxy protocol instead of the following resolutions.

Resolution

Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners (Apache)

1.    Open your Apache configuration file using a text editor. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL**,** or /etc/apache2/apache2.conf for Ubuntu.

2.    In the LogFormat section, add %{X-Forwarded-For}i, similar to the following:

...
    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    ...

3.    Save your changes.

4.    Reload the Apache service.

For Sysvinit, Debian-based systems (such as Ubuntu) and SUSE (such as SLES11), run this command:

# /etc/init.d/apache2 reload

For Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE, run this command:

# /etc/init.d/httpd reload

For Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12), run this command:

# systemctl reload apache2

For Systemd, RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE, run this command:

# systemctl reload httpd

5.    Open your Apache web server access logs. The location varies by configuration.

6.    Verify that client IP addresses are now recorded under the X-Forwarded-For header.

Application Load Balancers and Classic Load Balancers with HTTP/HTTPS Listeners (NGINX)

1.    Open your NGINX configuration file using a text editor. The location is typically /etc/nginx/nginx.conf.

2.    In the LogFormat section, add $http_x_forwarded_for, similar to the following:

http {
    ...
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    ...
}

3.    Save your changes.

4.    Reload the NGINX service.

For example, on Amazon Linux 2 or RHEL, run this command:

systemctl reload nginx

Note: The command to reload the NGINX service is different on other systems. The commands to reload NGINX are similar to the commands to reload the Apache service in the previous section.

5.    Open your NGINX web server access logs. The location varies by configuration.

6.    Verify that client IP addresses now recorded under the X-Forwarded-For header.

Classic Load Balancers with TCP/SSL Listeners (Apache)

1.    Open your Apache configuration file using a text editor. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL, or /etc/apache2/apache2.conf for Ubuntu.

2.    Make sure that your Apache configuration loads the module mod_remoteip (available for Apache version 2.4.31 and newer). This module includes the RemoteIPProxyProtocol directive. In your configuration file, check for a line that's similar to the following:

Amazon Linux or RHEL:

LoadModule remoteip_module modules/mod_remoteip.so

Ubuntu:

LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so

3.    Confirm that the mod_remoteip module loads:

$ sudo apachectl -t -D DUMP_MODULES | grep -i remoteip

4.    Review the output and verify that the output contains a line that's similar to:

remoteip_module (shared)

Important: If the output doesn't contain this line, then the module isn’t included or loaded in your configuration. Make sure to activate the module before you proceed.

5.    Add the following line to your Apache configuration file to activate Proxy Protocol support:

RemoteIPProxyProtocol On

6.    Edit the LogFormat section of the configuration file to capture the remote IP address (%a) and the remote port ( %{remote}p:), similar to the following:

LogFormat "%h %p %a %{remote}p %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

7.    Save your changes.

8.    Reload the Apache service.

For Sysvinit, Debian-based systems (such as Ubuntu), and SUSE (such as SLES11), run this command:

# /etc/init.d/apache2 reload

For Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE, run this command:

# /etc/init.d/httpd reload

For Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12), run this command:

# systemctl reload apache2

For Systemd, RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE, run this command:

# systemctl reload httpd

9.    Open the Apache web server access logs. The location varies by configuration.

10.    Verify that client IP addresses are now recorded under the Proxy Protocol header.

11.    Activate support for Proxy Protocol in your target application.

Classic Load Balancers with TCP/SSL Listeners (NGINX)

1.    Open the NGINX configuration file using a text editor. The location is typically /etc/nginx/nginx.conf.

2.    Change the listen line of the server section to *NOTE: THIS IS PLACEHOLDER CONTENT THAT WILL BE REPLACED AFTER EDITING*

###Long Sentences
XX

###Wrong/Misspelled Service Name

###Link broken
            or incorrect title
link 

###Sensitive Terms
Terms

###Changes
**WAS:** 
**IS:** 
**REASON:** 

**WAS:** 
**IS:** 
**REASON:** 

**WAS:** 
**IS:** 
**REASON:** 

**WAS:** 
**IS:** 
**REASON:**

proxy_protocol

Make sure to change the log_format line of the http section to set the proxy_protocol_addr:

http {
    ...
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$proxy_protocol_addr"';
 
    access_log  /var/log/nginx/access.log  main;
    ...
}
server {
        ...
        listen  80  default_server proxy_protocol;
        ...
        }
...
}

3.    Save your changes.

4.    Reload the NGINX service.

For example, on Amazon Linux 2 or RHEL, run this command:

systemctl reload nginx

Note: The command to reload the NGINX service is different on other systems. The commands to reload NGINX are similar to the commands to reload the Apache service in the previous section.

5.    Open the NGINX web server access logs. The location varies by configuration.

6.    Verify that client IP addresses are now recorded under the Proxy Protocol header.

7.    Activate support for Proxy Protocol in your target application.


AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago