Tag Archives: Amazon Web Services

How to get client IP with PHP behind AWS Elastic Load Balancer

If a PHP application server is located behind Amazon Web Service’s Elastic Load Balancer, or another type of proxy server, it is likely that the traditional mechanism for retrieving the end user’s IP address will not work as expected.  As the request passes through the server, the REMOTE_ADDR key of the $_SERVER variable changes to that of the load balancer; however, all is not lost.  In particular, using the AWS Elastic Load Balancer results in the client IP being transferred to another key in the $_SERVER variable—HTTP_X_FORWARDED_FOR.

The code to find the correct IP address is quite simple:

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR']) {
    $clientIpAddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
    $clientIpAddress = $_SERVER['REMOTE_ADDR'];
}

Keep in mind, we have made no considerations for IP spoofing. As always, ensure you protect yourself with a variety of security techniques.

Preparing an SSL certificate for use with AWS Elastic Load Balancer

Today I was tasked with re-keying our SSL certificate in preparation for the implementation of Amazon Web Service’s Elastic Load Balancer service.  In order to properly implement the load balancer into our existing architecture, it must be able to handle SSL connections.  We current employ GoDaddy’s Premium SSL Certificate, which gives you the familiar green bar in the address bar of your browser.  After copying and pasting the private key, certificate, and certificate chain data into the provided inputs, Amazon returned the following message: “Invalid private key.”

When I generate SSL certificate signing requests, I generally use the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Unfortunately, the resultant format is not compatible with AWS’s Elastic Load Balancer.  In order to counter the “Invalid private key” error, I issued the following commands:

openssl genrsa -des3 -out yourdomain.key 2048
openssl req -new -key yourdomain.key -out yourdomain.csr

After that, copy and paste the CSR contents into the CSR input provided by GoDaddy.  After doing this, I attempted to restart Apache HTTP Server, and noticed the following errors in /etc/httpd/logs/error_log.

[Mon Oct 07 17:55:24.779930 2013] [ssl:emerg] [pid 23786] AH02204: Init: Pass phrase incorrect for key of yourdomain:443
[Mon Oct 07 17:55:24.779981 2013] [ssl:emerg] [pid 23786] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

[Mon Oct 07 17:55:24.780076 2013] [ssl:emerg] [pid 23786] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Oct 07 17:55:24.780093 2013] [ssl:emerg] [pid 23786] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

Unfortunately, the new private key required a passphrase and Apache didn’t like that. While there are a number of approaches to resolve the issue between Apache and private key passphrases, I chose to remove it, both for the sake of simplicity, and because the Elastic Load Balancer will not accept a private key containing a passphrase. To remove the passphrase, use the following command:

openssl rsa -in yourdomain.key -out yourdomain.key.nopass

At this point, the HTTP server can be restarted, and the SSL certificate’s private key will work with Amazon Web Service’s Elastic Load Balancer.