I'm using Elastic Load Balancing for my web server, and I can see my load balancer's IP address in the access logs. How do I capture client IP addresses instead?

Your access logs capture the IP address of your load balancer because the load balancer establishes the connection to your instances. You must perform additional configuration to capture the IP addresses of clients in your access logs.

  • For Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners, you must use X-Forwarded-For headers to capture client IP addresses. Then, you must print those client IP addresses in your access logs.
  • For Classic Load Balancers with TCP/SSL listeners, you must enable Proxy Protocol support on the Classic Load Balancer and the target application. Be sure to configure Proxy Protocol support on both sides or your application might experience issues. You can also enable Proxy Protocol support using the AWS CLI.
  • For Network Load Balancers, you can register your targets by instance ID to capture client IP addresses without additional web server configuration. For instructions, see Target Group Attributes instead of the following resolutions.

Application Load Balancers and Classic Load Balancers with HTTP/HTTPS Listeners (Apache)

1.    Open your Apache configuration file in your preferred text editor. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL, or /etc/apache2/apache2.conf for Ubuntu.

2.    In the LogFormat section, add %{X-Forwarded-For}i as follows:

    ...
    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    ...

3.    Save your changes.

4.    Reload the Apache service.

For Sysvinit, Debian-based systems (such as Ubuntu) and SUSE (such as SLES11):

# /etc/init.d/apache2 reload

For Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE:

# /etc/init.d/httpd reload

For Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12):

# systemctl reload apache2

For Systemd, RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE:

# systemctl reload httpd

5.    Open your Apache access logs. The location varies by configuration.

6.    Verify that client IP addresses are now recorded under the X-Forwarded-For header.

Application Load Balancers and Classic Load Balancers with HTTP/HTTPS Listeners (NGINX)

1.    Open your NGINX configuration file in your preferred text editor. The typical location is /etc/nginx/nginx.conf.

2.    In the LogFormat section, add $http_x_forwarded_for as follows:

http {
    ...
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    ...
}

3.    Save your changes.

4.    Reload your NGINX configuration file as follows. Be sure to use the appropriate file path for your configuration.

# sudo /etc/init.d/nginx reload

5.    Open your NGINX access logs. The location varies by configuration.

6.    Verify that client IP addresses now recorded under the X-Forwarded-For header.

Classic Load Balancers with TCP/SSL Listeners (Apache)

1.    Open your Apache configuration file in your preferred text editor. The location varies by configuration, such as /etc/httpd/conf/httpd.conf for Amazon Linux and RHEL, or /etc/apache2/apache2.conf for Ubuntu.

2. Be sure that your Apache configuration loads the module mod_remoteip (available for Apache version 2.4.31 and newer). This module includes the RemoteIPProxyProtocol directive. Check for a line similar to the following in your configuration file.

Amazon Linux or RHEL:

LoadModule remoteip_module modules/mod_remoteip.so

Ubuntu:

LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so

3.    Confirm that the mod_remoteip module loads:

$ sudo apachectl -t -D DUMP_MODULES | grep -i remoteip

4.    Review the output and verify that it contains a line similar to:

remoteip_module (shared)

Important: If this line isn’t returned, the module isn’t included or loaded in your configuration. Be sure to enable the module before proceeding.

5.    Add the following line to your Apache configuration file to enable Proxy Protocol support:

RemoteIPProxyProtocol On

6.    Edit the LogFormat section of the configuration file to capture the remote IP address (%a) and the remote port (%{remote}p:) as follows:

LogFormat "%h %p %a %{remote}p %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

7.    Save your changes.

8.    Reload the Apache service.

For Sysvinit, Debian-based systems (such as Ubuntu), and SUSE (such as SLES11):

# /etc/init.d/apache2 reload

For Sysvinit, RPM-based systems (such as RHEL 6 and Amazon Linux), except SUSE: 

# /etc/init.d/httpd reload

For Systemd, Debian-based systems (such as Ubuntu) and SUSE (such as SLES12): 

# systemctl reload apache2

For Systemd, RPM-based systems (such as RHEL 7 and Amazon Linux 2), except SUSE: 

# systemctl reload httpd

9.    Open the Apache access logs. The location varies by configuration.

10.    Verify that client IP addresses are now recorded under the Proxy Protocol header.

11.    Enable support for Proxy Protocol in your target application.

Classic Load Balancers with TCP/SSL Listeners (NGINX)

1.    Open the NGINX configuration file in your preferred text editor. The typical location is /etc/nginx/nginx.conf.

2.    Change the listen line of the server section to enable proxy_protocol. Be sure to change the log_format line of the http section to set the proxy_protocol_addr. For example:

 http {
    ...
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$proxy_protocol_addr"';
 
    access_log  /var/log/nginx/access.log  main;
    ...
}
server {
        ...
        listen  80  default_server proxy_protocol;        
        ...
        }
...
}

3.    Save your changes.

4.    Reload the NGINX configuration file.

For Sysvinit systems (such as Amazon Linux, RHEL 6, SLES11, and Ubuntu 14.04):

# /etc/init.d/nginx reload

For Systemd systems (such as RHEL 7, Amazon Linux 2, SLES12, and Ubuntu 16.04): 

# systemctl reload nginx

5.    Open the NGINX access logs. The location varies by configuration.

6.    Verify that client IP addresses are now recorded under the Proxy Protocol header.

7.    Enable support for Proxy Protocol in your target application.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-12-07