Problems getting real request data in ApiGateway Login with mTLS

Hello

Today we use the api gateway to filter requests/authentications, etc., but we are facing a problem with passing the origin IP addresses of https requests. Where we do not use mtls, the request filters/logging are correct, but when mtls is active, the ip that comes from is an internal ip and we are unable to understand the origin.

I will pass the headers that we are receiving in an apigw that we are not using mTLS:

"x-real-ip":"179.96.204.11","x-request-id":"Q-ctMhWgmjQEMTw=","forwarded":"for=179.96.204.11;host=api.xxxxxxx.com.br;proto=https","via":"HTTP/1.1 AmazonAPIGateway"

Now I will pass the headers that we are receiving in an apigw where we are using mTLS:

"x-real-ip":"10.1.12.36:21568","x-request-id":"Q-j41jlFmjQEMaw=","forwarded":"host=x1.xxxxxxx.com.br;proto=https","via":"HTTP/1.1 AmazonAPIGateway"

Even in the apigw logs themselves, the ip we get is not the origin ip, but an internal ip of the VPC. This is our flow to get to our services: apigw -> ALB -> ECS I will pass the logs that we configured. These logs are from apigw itself:

No mTLS: {"requestTime":"05/Jan/2024:12:59:18 +0000","requestId":"RER-Bi7UGjQEMIA=","httpMethod":"POST","path":"/.xxxxxxx/api/v1/authorizedDebit/create","routeKey":"ANY /api/v1/{proxy+}","status":200,"responseLatency":127,"integrationRequestId":"-","functionResponseStatus":"200","integrationLatency":"124","integrationServiceStatus":"200","authorizeResultStatus":"-","authorizerRequestId":"-","ip":"18.229.5.69","userAgent":"axios/1.2.3","principalId":"-"}

Configuracao do Logger: {"requestTime":"$context.requestTime","requestId":"$context.requestId","httpMethod":"$context.httpMethod","path":"$context.path","routeKey":"$context.routeKey","status":$context.status,"responseLatency":$context.responseLatency,"integrationRequestId":"$context.integration.requestId","functionResponseStatus":"$context.integration.status","integrationLatency":"$context.integration.latency","integrationServiceStatus":"$context.integration.integrationStatus","authorizeResultStatus":"$context.authorizer.status","authorizerRequestId":"$context.authorizer.requestId","ip":"$context.identity.sourceIp","userAgent":"$context.identity.userAgent","principalId":"$context.authorizer.principalId"}

With mTLS:

{"requestTime":"05/Jan/2024:12:56:23 +0000","requestId":"RERivh1NGjQEMrA=","httpMethod":"GET","path":"/.xxxxxxx/secure/pix/reference/0a60b91a271f4dc33049ec0a6dd96f64","routeKey":"ANY /secure/{proxy+}","status":200,"responseLatency":20,"integrationRequestId":"-","functionResponseStatus":"200","integrationLatency":"17","integrationServiceStatus":"200","authorizeResultStatus":"-","authorizerRequestId":"-","ip":"10.1.12.166:7464","userAgent":"axios/0.27.2","principalId":"-"}

Logger configuration: {"requestTime":"$context.requestTime","requestId":"$context.requestId","httpMethod":"$context.httpMethod","path":"$context.path","routeKey":"$context.routeKey","status":$context.status,"responseLatency":$context.responseLatency,"integrationRequestId":"$context.integration.requestId","functionResponseStatus":"$context.integration.status","integrationLatency":"$context.integration.latency","integrationServiceStatus":"$context.integration.integrationStatus","authorizeResultStatus":"$context.authorizer.status","authorizerRequestId":"$context.authorizer.requestId","ip":"$context.identity.sourceIp","userAgent":"$context.identity.userAgent","principalId":"$context.authorizer.principalId"}

Therefore, we would like some help on how to obtain the real origin requests in ApiGateway Logging with active mTLS. We consulted materials from the links below and were unsuccessful:

https://docs.aws.amazon.com/apigateway/latest/api/API_GetGatewayResponse.html https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-request-validation-set-up.html https://docs.aws.amazon.com/apigateway/latest/api/API_PutGatewayResponse.html https://repost.aws/knowledge-center/api-gateway-errors-cloudwatch-logs