How do I log client information for TCP or SSL traffic to a Classic Load Balancer when running Apache?

By default, a Classic Load Balancer does not pass client information for TCP or SSL based listeners. You must enable Proxy Protocol on a Classic Load Balancer so the load balancer can forward the request along with the client information.

After you have enabled Proxy Protocol on the load balancer, you must also enable it on the back-end application. Nginx supports a similar module natively, but Apache does not. You must compile and install the module separately before enabling Proxy Protocol in the Apache configuration.

Proxy Protocol is an Internet protocol used to carry connection information from the source requesting the connection to the destination for which the connection was requested. Elastic Load Balancing uses Proxy Protocol version 1, which uses a human-readable header format. The Proxy Protocol header helps you identify the IP address of a client when you use a load balancer configured for TCP/SSL connections.

The Proxy Protocol line is a single line that ends with a carriage return and line feed ("\r\n"), and has the following form:

PROXY_STRING + single space + INET_PROTOCOL + single space + CLIENT_IP + single space + PROXY_IP + single space + CLIENT_PORT + single space + PROXY_PORT + "\r\n"

Example: IPv4

The following is an example of the Proxy Protocol line for IPv4:

PROXY TCP4 198.51.100.22 203.0.113.7 35646 80\r\n

You can log the client IP address in Apache access logs with TCP-based listeners of a Classic Load Balancer. Sample source code for installing the Apache Proxy Protocol Module can be found on GitHub, and information about modifying httpd.conf is located in the Apache HTTP Server Documentation.

Note: These links are provided for informational purposes only, and should not be considered either a comprehensive list or an endorsement of the content of the examples. AWS is not responsible for the content or accuracy of external content.

Follow these instructions to enable Proxy Protocol and capture client IP on back-end application access logs.

Configuration for the load balancer (TCP listeners):

aws elb create-load-balancer-policy --load-balancer-name --policy-name my-ProxyProtocol-policy --policy-type-name ProxyProtocolPolicyType --policy-attributes AttributeName=ProxyProtocol,AttributeValue=true

aws elb set-load-balancer-policies-for-backend-server --load-balancer-name --instance-port --policy-names my-ProxyProtocol-policy

Configuration for the backend server (Apache 2.4):

Install these packages for Proxy Protocol:

  • git
  • httpd24-devel
  • gcc

$> sudo yum install git httpd24-devel gcc

Download the module.

$> sudo git clone https://github.com/roadrunner2/mod-proxy-protocol

Compile the downloaded module.

$> cd mod-proxy-protocol/

$> sudo make

Move the compiled module file (.so) to /etc/httpd/modules directory.

$> sudo cp .libs/mod_proxy_protocol.so /etc/httpd/modules/

Add the following line in httpd.conf to enable Proxy Protocol.

$> LoadModule proxy_protocol_module modules/mod_proxy_protocol.so

$> ProxyProtocol On

Edit your log format in httpd.conf and make these changes:

$> LogFormat "%h %p %a %{remote}p %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

Restart Apache.

$> sudo service httpd restart

Note:

  • The Proxy Protocol module has been tested for Apache version 2.4.
  • If you have Apache version 2.2 installed on the server and want to move to Apache version 2.4, you must remove all httpd packages (httpd, httpd-devel, and httpd-tools) before you can install httpd24-devel, which is required for Proxy Protocol.
  • For Debian-based Linux systems, replace httpd24-devel with apache-devel or apache2-dev.

Classic Load Balancer, Elastic Load Balancing, Proxy Protocol


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-09-15