Menu
We have some PHP servers on EC2 behind ELB. We would like to determine the locale/region by IP address of the clients connecting to our servers. The problem is the PHP servers only see the IP address of the ELB. We would like to see the IP addresses of the clients passed through the ELB.
250
The load balancer has one IP address per enabled Availability Zone. These are the addresses of the load balancer nodes.
The short answer: Yes, ELB's IP addresses (both the ones that are publicly distributed to clients of your service, and the internal IPs from which ELB sends traffic to your instances) dynamically change.
According to the AWS docs, the ELB should be setting the 'X-Forwarded-For' HTTP header which preserves the original client ip address:
The X-Forwarded-For request header helps you identify the IP address of a client. Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer. To see the IP address of the client, use the X-Forwarded-For request header.
You can access it using the following PHP code (assuming apache):
$http_headers = apache_request_headers();
$original_ip = $http_headers["X-Forwarded-For"];
If you use Apache, have a look at the mod_remoteip module. It's included in Apache 2.4 and newer, but backports for 2.2 can also be found.
The module overrides the client IP address for the connection with the useragent IP address reported in the request header configured with the RemoteIPHeader directive.
Once replaced as instructed, this overridden useragent IP address is then used for the mod_authz_host Require ip feature, is reported by mod_status, and is recorded by mod_log_config %a and core %a format strings. The underlying client IP of the connection is available in the %{c}a format string.
In other words, you can set which header to use (e.g. X-Forwarded-For) and which IP's are trusted (e.g. your load-balancer). The trusted IPs are removed from the header and the first untrusted IP is used as the originating client. This IP is then used internally by Apache in other modules, such as for logging, host-authentication, etc.
This makes it more useful than only handling the X-F-F header in PHP, since mod_remoteip takes care of the entire stack, makes sure your access-logs are correct, etc.
Note: There's also a mod_rpaf module which is the predecessor to this one. It's much more limited. For example, it cannot handle trusted ip-ranges. You need this since you don't know ELB's IP beforehand. It also can't handle multiple hops, such as ELB before Varnish, before Apache. I'd suggest skipping the rpaf module and using remoteip instead.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
