1

I have an AWS TCP load balancer on an autoscaling pool, There are multiple domains behind it so I can't do SSL termination on the load balancer, hence TCP.

I've updating my logging format to log the X-Forwarded-For and this works well for HTTP however not for HTTPS.

Forums don't indicate that this can't be done as it talks about HTTP(S) however I can't get it to work. Can it work?

Here is my logging details:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
LogFormat "%h %l %u %t \"%r\" %>s %b" common

CustomLog "logs/access_log" combined env=!forwarded
CustomLog "logs/access_log" proxy env=forwarded

Dumping all attributes in PHP I can see the header for HTTP requests but not HTTPS, so I don't think it's a config issue.

Rudiger
  • 181
  • 13

2 Answers2

2

ELB has no way of adding that header, as this header is a function of HTTP, and this is a TCP load balancer. All it knows is that it's passing some TCP flow and no more. If you need the ELB to add this header, you'll need to terminate HTTPS at the load balancer. From there it can communicate with your backend instances via HTTP or HTTPS as required.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • From your answer as I understand it this header wouldn't be on HTTP either? – Rudiger May 20 '17 at 00:24
  • If you terminated http at the ELB then the forwarded header could be added. – Tim May 20 '17 at 02:32
  • Right, @Tim, but with multiple SSL certs using SNI, you can't do that, since the TLS session is terminated by the back-end, not the balancer... which is why ELB Classic supports the [Proxy protocol](http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html) -- to identify the client IP to a Proxy protocol enabled back-end service (like HAProxy, which can terminate the SSL with SNI support and add the `X-Forwarded-For` header to the HTTP, which it will see). – Michael - sqlbot May 20 '17 at 03:40
  • @Michael-sqlbot are you saying the only way to do it is to terminate the SSL at the load balancer and have the multiple SSL certs I'd need a HAProxy service, which isn't AWS Load Balancer? – Rudiger May 20 '17 at 04:59
  • 1
    @Rudiger not at all. I'll make this into a separate answer and explain the options. – Michael - sqlbot May 20 '17 at 15:45
  • @Michael-sqlbot any chance you could post your answer? – Rudiger May 27 '17 at 21:51
  • 1
    @Rudiger oops. Yes, let me refresh my memory on the issue and see what I can do. – Michael - sqlbot May 27 '17 at 23:19
  • @Michael-sqlbot I've posted an answer as I've found a way around the problem. – Rudiger Jun 02 '17 at 02:37
  • Glad to hear it, but it isn't clear exactly what you are saying you did to solve it... your answer mentions `X-Forwarded-For`, but the `X-Forwarded-Proto` header is the header that indicates SSL. So you switched your balancer to HTTP mode and used an SSL cert on the balancer as well as on CloudFront? – Michael - sqlbot Jun 02 '17 at 12:07
0

While I highly doubt it is possible to get the X-Forwarded-For working when the SSL termination isn't being done on the load balancer, I haven't found a definitive no. However there is a solution I've made work using CloudFront.

As you can have multiple distributions pointing to the one load balancer and AWS provides certificates for SSL, you can terminate the SSL at the edge location. CloudFront will add the header and forward the request (if needed) to the load balancer. From there the header will reach your server.

Rudiger
  • 181
  • 13