Ubuntu Server AWS EC2 ELB Apache Log Fix

If you’ve launched AWS EC2 server instances behind a load balancer, then you’ve probably noticed that your Apache logs are showing the internal ip address of the load balancer for all entries.

I’ve seen a few blogs that explain that the reason for this is that the ELB load balancer is configured as a reverse proxy and the actual ip address of the origin is masked.  Aside from the cosmetics of seeing thousands of log entries all with the same ip address, this is actually bad for SEO as your sitemaps will also be showing all your visitors coming from one ip address.  Also, if you are using geoip the country filter won’t work as it will be looking at all visitors as coming from Amazon’s region that your EC2 instances are located.

Here’s the fix:
Very simple actually.  It worked for me on Ubuntu 12.04 LTS and I assume it will work on any Linux configuration.  Instead of logging the Host (which in our case is the internal ip), we want to log the X-Forwarded_for which is the origin ip for the entry.
Open your apache configuration file for edit.  On Ubuntu it’s at /etc/apache2/apache2.conf    You can also use locate to find it on your instance if it’s not on Ubuntu.  locate apache2.conf

sudo vi /etc/apache2/apache2.conf

Next within configuration file look for the section with LogFormat   There should be several lines beginning with LogFormat.  The top three should be for vhost_combined, combined, and common.   In all three lines where you see %h  (which is echoing to the apache log the host) change that to %{X-Forwarded-For}i

Before

LogFormat “%v:%p %h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%h %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%h %l %u %t \”%r\” %>s %O” common

After

LogFormat “%v:%p %{X-Forwarded-For}i %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” vhost_combined
LogFormat “%{X-Forwarded-For}i %l %u %t \”%r\” %>s %O \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%{X-Forwarded-For}i %l %u %t \”%r\” %>s %O” common

Then remember to reload apache

sudo service apache2 reload

Note of Caution: It’s relatively easy for someone to spoof the header and change the X-Forwarded-For to whatever address they want. That would mask from you their actual ip. Therefore, this solution is not intended for applications that have security implications.

Another tip. Within your web application if you are using the ip for any purpose, like Maxmind’s geoip, you’ll need to echo the X-Forwarded-For instead of the Remote host as well. e.g. $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];

Let us know if you have any suggestions on how to improve this method.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>