How do I capture client IP addresses in my ELB access logs?

Last updated: 2018-12-07

I'm using Elastic Load Balancing for my web server, and I can see my load balancer's IP address in the access logs. How do I capture client IP addresses instead?

Short description

Your access logs capture the IP address of your load balancer because the load balancer establishes the connection to your instances. You must perform additional configuration to capture the IP addresses of clients in your access logs.

Resolution

Application Load Balancers and Classic Load Balancers with HTTP/HTTPS Listeners (Apache)

1.     Open your Apache configuration file in your preferred text editor. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL, or /etc/apache2/apache2.conf for Ubuntu.

2.     In the LogFormat section, add %{X-Forwarded-For}i as follows:

...
    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    ...

3.     Save your changes.

4.     Reload the Apache service.

For Sysvinit, Debian-based systems (such as Ubuntu) and SUSE (such as SLES11):

# /etc/init.d/apache2 reload

For Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE:

# /etc/init.d/httpd reload

For Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12):

# systemctl reload apache2

For Systemd, RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE:

# systemctl reload httpd

5.     Open your Apache access logs. The location varies by configuration.

6.     Verify that client IP addresses are now recorded under the X-Forwarded-For header.

Application Load Balancers and Classic Load Balancers with HTTP/HTTPS Listeners (NGINX)

1.     Open your NGINX configuration file in your preferred text editor. The typical location is /etc/nginx/nginx.conf.

2.     In the LogFormat section, add $http_x_forwarded_for as follows: 

http {
    ...
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    ...
}

3.     Save your changes.

4.     Reload your NGINX configuration file as follows. Be sure to use the appropriate file path for your configuration.

# sudo /etc/init.d/nginx reload

5.     Open your NGINX access logs. The location varies by configuration.

6.     Verify that client IP addresses now recorded under the X-Forwarded-For header.

Classic Load Balancers with TCP/SSL Listeners (Apache)

1.     Open your Apache configuration file in your preferred text editor. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL, or /etc/apache2/apache2.conf for Ubuntu.

2.    Be sure that your Apache configuration loads the module mod_remoteip (available for Apache version 2.4.31 and newer). This module includes the RemoteIPProxyProtocol directive. Check for a line similar to the following in your configuration file.

Amazon Linux or RHEL:

LoadModule remoteip_module modules/mod_remoteip.so

Ubuntu:

LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so

3.     Confirm that the mod_remoteip module loads:

$ sudo apachectl -t -D DUMP_MODULES | grep -i remoteip

4.    Review the output and verify that it contains a line similar to:

remoteip_module (shared)

Important: If this line isn’t returned, the module isn’t included or loaded in your configuration. Be sure to enable the module before proceeding.

5.     Add the following line to your Apache configuration file to enable Proxy Protocol support:

RemoteIPProxyProtocol On

6.     Edit the LogFormat section of the configuration file to capture the remote IP address (%a) and the remote port (%{remote}p:) as follows:

LogFormat "%h %p %a %{remote}p %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

7.     Save your changes.

8.     Reload the Apache service.

For Sysvinit, Debian-based systems (such as Ubuntu), and SUSE (such as SLES11):

# /etc/init.d/apache2 reload

For Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE:

# /etc/init.d/httpd reload

For Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12):

# systemctl reload apache2

For Systemd, RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE:

# systemctl reload httpd

9.     Open the Apache access logs. The location varies by configuration.

10.    Verify that client IP addresses are now recorded under the Proxy Protocol header. 

11.    Enable support for Proxy Protocol in your target application.

Classic Load Balancers with TCP/SSL Listeners (NGINX)

1.     Open the NGINX configuration file in your preferred text editor. The typical location is /etc/nginx/nginx.conf.

2.     Change the listen line of the server section to enable proxy_protocol. Be sure to change the log_format line of the http section to set the proxy_protocol_addr. For example:

http {
    ...
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$proxy_protocol_addr"';
 
    access_log  /var/log/nginx/access.log  main;
    ...
}
server {
        ...
        listen  80  default_server proxy_protocol;        
        ...
        }
...
}

3.     Save your changes.

4.     Reload the NGINX configuration file.

For Sysvinit systems (such as Amazon Linux, RHEL 6, SLES11, and Ubuntu 14.04):

# /etc/init.d/nginx reload

For Systemd systems (such as RHEL 7, Amazon Linux 2, SLES12, and Ubuntu 16.04):

# systemctl reload nginx

5.     Open the NGINX access logs. The location varies by configuration.

6.     Verify that client IP addresses are now recorded under the Proxy Protocol header.

7.     Enable support for Proxy Protocol in your target application.


Did this article help?


Do you need billing or technical support?