0

We have a aws load balancer. The load balancer uses the TCP connections 443 to encrypt the data.

Since the load balancer encrypts the IP of the client, in our apache log file we can see only the IP of the load balancer rather then the client. Even though we have used %{X-Forwarded-For}i in our log format.

Is there any way to handle this issue?

sriram
  • 277
  • 1
  • 3
  • 9

2 Answers2

3

Yes, ELBs support decrypting the SSL request and sending a plain http request back to your Apache back end servers.

The ELB will add both X-Forwarded-For and X-Forwarded-Proto headers so you can tell the difference between SSL requests and plain http requests. The non-SSL requests may only have the X-Forwarded-For header or may have the X-Forwarded-Proto header set to http.

If your Apache is receiving requests on port 443, the ELB can't be injecting any headers and your logs will only ever contain the IP address of the load balancer itself. You have to do SSL termination in the ELB to get the X-Forwarded-For header.

There's a decent tutorial here. There's also an answer specifically for Thawte here.

Community
  • 1
Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • So you meant to say if I add `X-Forwarded-Proto` in my log format it will work? Or move the ssl certificates to the load balancer? – sriram Oct 17 '12 at 10:21
  • `X-Forwarded-Proto` is so your application can generate image and css links that start with `https://`. Moving the SSL certificates to the load balancer will allow it to add the `X-Forwarded-For` header which will allow your existing rules to work. Bear in mind that `X-Forwarded-For` can be a comma-separated list and not always a single IP address. `mod_rpaf` or `mod_remoteip` will put the correct IP address in the normal IP address variable. – Ladadadada Oct 17 '12 at 11:08
0

you need mod_rpaf for Apache. It will put X-FORWARDED-FOR packed IP in place of IP of Load balancers .

Hrvoje Špoljar
  • 5,162
  • 25
  • 42
  • Does `mod_rpaf` tackles the problem of tcp connection port 443? Since our load balancer uses that as a port. – sriram Oct 17 '12 at 05:43
  • yes; port is irrelevant here; at some point SSL connection must be terminated; at that point mod_rpaf shoud kick in and use address from X-FORWARDED-FOR header – Hrvoje Špoljar Oct 17 '12 at 05:44
  • 1
    But why doesn't the normal `%{X-Forwarded-For}i` doesn't work? – sriram Oct 17 '12 at 05:47
  • Probably because load balancers use some other header name which is not 'X-Forwarded-For' – Hrvoje Špoljar Oct 17 '12 at 06:14
  • mod_rpaf will be [tricky to configure behind an Amazon ELB](http://serverfault.com/questions/329893/mod-rpaf-behind-an-amazon-elb). The problem is that you can't use CIDR notation and have to list all 16 million possible 10.x.x.x IP addresses individually. There are two solutions in the answers to that question, one of which I wrote. – Ladadadada Oct 17 '12 at 09:21