By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to Log Original IP with Cloudflare in Front of HTTP API Gateway?

1

Hi re:Post Community,

I am currently using Cloudflare in front of my HTTP API Gateway, but I’ve noticed that the API Gateway access logs only capture the resource IP (Cloudflare IP) instead of the original client IP.

I need to log the original client IP (either the connecting-ip or the X-Forwarded-For header value) for troubleshooting purposes. However, after reviewing the logging variables documented here:

HTTP API Logging Variables

I couldn’t find any variables explicitly for logging request headers, including X-Forwarded-For.

This is my current logging format:

$context.identity.sourceIp - - [$context.requestTime] "$context.httpMethod $context.path $context.protocol" "$context.routeKey" $context.status $context.responseLength $context.requestId $context.integrationErrorMessage

Am I missing something, or is there another way to include the original client IP in the logs? Any guidance or alternative solutions would be greatly appreciated!

Thanks in advance!

2 Answers
1
Accepted Answer

This requirement is not supported out of the box. You can of course log it in the backend, but this will not be included in the Access Logs. You can also try the Lambda authorizer path, which will return a new context variable that you can include in the access logs. This make most sense only if you already have a Lambda authorizer. Otherwise, it will require extra cost and compliction as you will need to handle the auth in the Lambda function.

profile pictureAWS
EXPERT
answered 17 days ago
profile picture
EXPERT
reviewed 16 days ago
0

You're correct that the default logging variables for HTTP API Gateway don't directly provide a way to log specific request headers like X-Forwarded-For. However, there are a few approaches you can take to capture the original client IP when using Cloudflare in front of your API Gateway:

  1. Customize your access logs: While there isn't a direct variable for X-Forwarded-For, you can use the $context.identity.clientIp variable in your logging format. This variable is designed to capture the client IP address, which should reflect the original IP when properly configured with a proxy like Cloudflare. - This will not work as there is no such context variable for HTTP APIs.

  2. Use $context.identity.sourceIp: In some cases, this variable might capture the original client IP rather than the Cloudflare IP. It's worth testing to see if this works in your setup. - This will probably not work as it will log CloudFlare's IP.

  3. Implement a Lambda authorizer: If the above options don't work, you can create a Lambda authorizer for your API. In the Lambda function, you can extract the X-Forwarded-For header and include it in the context that gets passed to your API and logged. - This might work, with added cost for invoking the Lambda function, and added complexity if the existing solution is not using a Lambda Authorizer.

  4. Use API Gateway access logging in combination with CloudWatch Logs: Enable access logging for your API and use CloudWatch Logs to analyze the logs. You might be able to correlate the Cloudflare IP with the original client IP by analyzing patterns in your logs. You will need to log the header from the backend for this to work.

  5. Modify your backend application: If possible, modify your backend application to log the X-Forwarded-For header directly. This would allow you to capture the original client IP regardless of the API Gateway logging limitations.

To implement these changes, you'll need to modify your logging format in the API Gateway console or using the AWS CLI. For example, you could update your logging format to:

$context.identity.clientIp - $context.identity.sourceIp - [$context.requestTime] "$context.httpMethod $context.path $context.protocol" "$context.routeKey" $context.status $context.responseLength $context.requestId $context.integrationErrorMessage

Remember to test these changes in a non-production environment first to ensure they capture the information you need without causing any issues.

If none of these solutions work, you might need to consider alternative architectures or reach out to AWS support for more specific guidance on your use case.
Sources
Customize HTTP API access logs - Amazon API Gateway
View API Gateway log events in the CloudWatch console - Amazon API Gateway
Configure an HTTP API to control IP address access | AWS re:Post

profile picture
answered 17 days ago
profile pictureAWS
EXPERT
revised 17 days ago
profile pictureAWS
EXPERT
revised 17 days ago
profile pictureAWS
EXPERT
revised 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions