Need help?

Our experts have had an average response time of 11.7 minutes in August 2021 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

How to capture client IP addresses in the Web Server Logs behind an ELB

by | Sep 7, 2021

Finding it difficult to capture client IP addresses in the web server logs behind an ELB? You are in luck, our Support Techs solved the same issue for one of our clients recently.

If you use elastic load balancing for your web server and see balancer’s ip address in the webserver access logs, continue reading to find out how capture client addresses instead.

How to Capture Client IP Addresses in the Web Server Logs Behind an ELB

Before we delve into the issue, you need to understand that the webserver access logs capture the load balancer’s IP address since the load balancer established the connection to the instances. In order to capture the client IP addresses, our Support Techs recommend the following:

  • For Classic Load Balancers and Application Load Balancers with HTTP/HTTPS listeners, the client IP addresses are captured by X-Forwarded-For HTTP header. The web server access logs are then configured to record the IP addresses.
  • The Proxy Protocol support needs to be enabled on the Classic Load Balancer as well as the target application for Classic Load Balancers with TCP/SSL listeners.
  • Register the targets via instance ID in order to capture client IP addresses for Network Load Balancers.
  • Register IP addresses as targets and also enable proxy protocol version 2 on the Network Load Balancer.

Tips to How to Capture Client IP Addresses in the Web Server Logs Behind an ELB

Let’s dive into the different ways you can capture client IP addresses in the web server logs behind an ELB.

Classic Load Balancers & Application Load Balancers with HTTP/HTTPS listeners (Apache)

  1. First, open the Apache configuration file via a text editor. The file location depends on the configuration. For instance, /etc/apache2/apache2.conf for Ubuntu and /etc/httpd/conf/httpd.conf for RHEL and Amazon Linux.
  2. Then add %{X-Forwarded-For}i in the LogFormat section as seen below:
    ...
    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    ...
  1. After that, save the changes.
  2. Then reload Apache service.

Run the following command for Debian-based, Sysvinit systems like Ubuntu and SUSE like SLES11:

# /etc/init.d/apache2 reload

Use this command for Sysvinit, RPM-based systems like Amazon Linux and RHEL 6, except SUSE:

# /etc/init.d/httpd reload

Run the following command for Systemd, Debian-based systems like Ubuntu and SUSE like SLES12:

# systemctl reload apache2

Use this command for Systemd, RPM-based systems like Amazon Linux 2 and RHEL 7, except SUSE:

# systemctl reload httpd
  1. Next, open the Apache web server logs. The location depends on the configuration.
  2. After that, check whether the client IP addresses are recorded under the X-Forwarded-For header.

Classic Load Balancers & Application Load Balancers with HTTP/HTTPS Listeners (NGINX)

  1. First, open the NGINX configuration file via a text editor. Our experts recommend looking for the file at /etc/nginx/nginx.conf
  2. Then add $http_x_forwarded_for in the LogFormat as seen below:
http {
    ...
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    ...
}
  1. Then save the changes
  2. After that, reload the NGINX service. For instance, run the following command on RHEL or Amazon Linux2:
systemctl reload nginx

Our experts would like to remind you that the command used to reload the NGINX service differs on different systems. These commands are similar to the ones used to reload the Apache service as seen in the previous section.

  1. Next, open NGINX web server access logs. The location depends on the configuration.
  2. Then, check whether the client IP addresses are recorded under the X-Forwarded-For header.

Classic Load Balancers with TCP/SSL Listeners (Apache)

  1. First, open the Apache configuration file via text editor. The file location depends on the configuration. For instance, /etc/apache2/apache2.conf for Ubuntu and /etc/httpd/conf/httpd.conf for RHEL and Amazon Linux.
  2. Ensure that the Apache configuration loads the mod_remoteip module. It includes the RemoteIPProxyProtocol directive. Look for a similar line to the one below in the configuration file.
LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
LoadModule remoteip_module modules/mod_remoteip.so
  1. Then verify that the mod_remoteip module loads:
$ sudo apachectl -t -D DUMP_MODULES | grep -i remoteip
  1. After that, verify the output to make sure it contains a line that looks like:
remoteip_module (shared)

If this line is not present in the output, it indicates that the module hasn’t been included in or loaded in the configuration. This is why our Support Techs would like to remind you to enable the module before you go ahead.

  1. Next, add the line below to the Apache configuration file. This will enable Proxy Protocol support:

<pre”>RemoteIPProxyProtocol On

    1. Then edit the LogFormat part of the configuration file. This will capture the remote port (%{remote}p:) as well as the remote IP address (%a). For example:

 

 

LogFormat "%h %p %a %{remote}p %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  1. Then save the changes made.
  2. After that, reload the Apache service.

Run the following command for Sysvinit, Debian-based systems like Ubuntu, and SUSE like SLES11:

# /etc/init.d/apache2 reload

Use the following command for Sysvinit, RPM-based systems like Amazon Linux and RHEL 6, except SUSE:

# /etc/init.d/httpd reload

Run this command for Systemd, Debian-based systems (such as Ubuntu), and SUSE (such as SLES12), run this command:

# systemctl reload apache2

Run the following command for Systemd, RPM-based systems like Amazon Linux 2 and RHEL 7, except SUSE:

# systemctl reload httpd
  1. Then open the Apache webserver access logs.
  2. Check whether the client IP addresses are now recorded under the Proxy Protocol header.
  3. Remember to enable support for the Proxy Protocol in the target application.

Classic Load Balancers with TCP/SSL Listeners (NGINX)

  1. First, open the NGINX configuration file via a text editor. The file is typically seen at /etc/nginx/nginx.conf.
  2. Then change the listen line in the server section. This will enable the proxy_protocol. After that, change the log-format line in the http section in order to set the proxy_protocol_addr:
http {
    ...
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$proxy_protocol_addr"';
 
    access_log  /var/log/nginx/access.log  main;
    ...
}
server {
        ...
        listen  80  default_server proxy_protocol;        
        ...
        }
...
}
  1. Then save the changes.
  2. After that, reload the NGINX service. For instance, run this command on RHEL or Amazon Linux 2:
systemctl reload nginx

Please note that the command used to reload NGINX service differs on different systems. These commands are similar to the ones used to
reload the Apache system as seen in the previous section.

  1. Next, open the NGINX web server access logs.
  2. Then ensure that the client IP addresses are recorded under the Proxy Protocol header now.
  3. Finally, enable the Proxy Protocol support in the target application.

[Need further assistance? Contact us anytime, anyday!]

Conclusion: Capture Client IP addresses in the Web Server Logs Behind an ELB

In short, we saw how to capture client IP addresses in the web server logs behind an ELB with ease.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

</pre”>

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF