AWS
ELB
EC2
Apache 2.4.39

When using a load balancer, web server logs like Apache only show the ELB’s IP address, not the actual client IP.

With AWS ELB, the real client IP is in the “X-Forwarded-For” header, so you need to configure your web server to log this header.

Apache conf addition sample

LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

Read more

AWS
ELB (Load Balancer)
SSL
Apache 2.4.39
Wordpress 5.1

■Communication Environment
Client PC
↓
(port:443)
↓
ELB[SSL Certificate Settings][ELB Rule: Redirect External Port 80 Access to 443]
↓
(port:80)
↓
EC2(Port 80 Only Inside EC2)

■Problem
・Browser accesses main https(443)
・Since EC2 is configured as port 80 environment, WordPress generates HTML with css and header URLs as http(80)
・Browser sees http(80) in header URL different from main URL and stops loading as security error
・HTML doesn’t display correctly in browser

■.htaccess rewrite only pattern

# BEGIN K.Miyakoshi

# Change access from AWS ELB to HTTPS
SetEnvIf X-Forwarded-Proto ^https$ HTTPS=on

# Redirect http access to https
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

# END K.Miyakoshi

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

■Full configuration pattern with vhost.conf in “conf.d” etc

#============================================
# ELB Common Logging Support K.Miyakoshi
#============================================
# AWS ELB Support - Added [%{X-Forwarded-For}i] to get client IP
LogFormat "%{X-Forwarded-For}i:%{X-Forwarded-Port}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" elb-accesslog
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %{X-Forwarded-For}i:%{X-Forwarded-Port}i %a] %M% ,\ referer\ %{Referer}i"

# AWS ELB Support - Exclude health check access from normal logs
SetEnvIf User-Agent "ELB-HealthChecker.*" nolog
# AWS ELB Support - Output health check access to separate log file
SetEnvIf User-Agent "ELB-HealthChecker.*" elb-log
# Exclude img, js etc from logs
SetEnvIf Request_URI "\.(gif|jpg|png|ico|jpeg|js|css)$" nolog

# Normal log settings
CustomLog logs/access_log elb-accesslog env=!nolog
ErrorLog logs/error_log

#============================================
# ELB WordPress Solution - https(443)→http(80) Redirect Problem
#============================================
# Enable HTTPS when AWS ELB is receiving https
SetEnvIf X-Forwarded-Proto ^https$ HTTPS=on

# Redirect http access to https
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
	RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>

#============================================
# default
# Used for ELB health check (Alias also works)
#============================================
<VirtualHost _default_:80>
	ServerName _default_:80
	ServerAdmin admin@hoge.com

	DocumentRoot "/opt/lampp/htdocs"
	<Directory "/opt/lampp/htdocs">
		AllowOverride All
		Options FollowSymLinks
		Require all granted

		Options +IncludesNoExec
		AddOutputFilter INCLUDES html
	</Directory>

	CustomLog "| /opt/lampp/bin/rotatelogs /opt/lampp/logs/htdocs/access_%Y%m%d.log 86400 540" elb-accesslog env=!nolog
	CustomLog "| /opt/lampp/bin/rotatelogs /opt/lampp/logs/htdocs/elb_%Y%m%d.log 86400 540" elb-accesslog env=elb-log
	ErrorLog "| /opt/lampp/bin/rotatelogs /opt/lampp/logs/htdocs/error_%Y%m%d.log 86400 540"

</VirtualHost>

#============================================
# taro.hoge.com
#============================================
<VirtualHost *:80>
	ServerName taro.hoge.com
	ServerAdmin admin@hoge.com

	DocumentRoot "/opt/lampp/taro"
	<Directory "/opt/lampp/taro">
		AllowOverride All
		Options FollowSymLinks
		Require all granted
	</Directory>

	CustomLog "| /opt/lampp/bin/rotatelogs /opt/lampp/logs/taro/access_%Y%m%d.log 86400 540" elb-accesslog env=!nolog
	# Logs output if [taro.hoge.com] DNS is configured in AWS ELB
	CustomLog "| /opt/lampp/bin/rotatelogs /opt/lampp/logs/taro/elb_%Y%m%d.log 86400 540" elb-accesslog env=elb-log
	ErrorLog "| /opt/lampp/bin/rotatelogs /opt/lampp/logs/taro/error_%Y%m%d.log 86400 540"

</VirtualHost>

#============================================
# jiro.hoge.com
#============================================
<VirtualHost *:80>
	ServerName jiro.hoge.com
	ServerAdmin admin@hoge.com

	DocumentRoot "/opt/lampp/jiro"
	<Directory "/opt/lampp/jiro">
		AllowOverride All
		Options FollowSymLinks
		Require all granted
	</Directory>

	CustomLog "| /opt/lampp/bin/rotatelogs /opt/lampp/logs/jiro/access_%Y%m%d.log 86400 540" elb-accesslog env=!nolog
	# Logs output if [jiro.hoge.com] DNS is configured in AWS ELB
	CustomLog "| /opt/lampp/bin/rotatelogs /opt/lampp/logs/jiro/elb_%Y%m%d.log 86400 540" elb-accesslog env=elb-log
	ErrorLog "| /opt/lampp/bin/rotatelogs /opt/lampp/logs/jiro/error_%Y%m%d.log 86400 540"

</VirtualHost>

#============================================

Read more

chmod command

Become admin if needed

sudo su -

Syntax: the “-R” option is the recursive processing command

chmod -R 755 ディレクトリ

Sample

chmod -R 755 /home/hoge-u/tmp

chown command

Become administrator if necessary

sudo su -

Syntax: the “-R” option is for recursive processing

chown -R user-to-change:group-to-change directory

Sample

chown -R hoge-u:hoge-g /home/hoge-u/tmp

Update Libraries

sudo yum update

Set timezone to Asia/Tokyo
sudo timedatectl
sudo timedatectl set-timezone Asia/Tokyo

Japanese language settings #localectl ja_JP.utf8
localectl
sudo localectl set-locale LANG=ja_JP.utf8
localectl
cat /etc/locale.conf
sudo localectl set-keymap jp106
cat /etc/vconsole.conf

Development tools

Install libraries needed for compilation
sudo yum -y groupinstall base "Development tools"

Install nkf command needed for Japanese text processing
wget "https://ja.osdn.net/dl/nkf/nkf-2.1.4.tar.gz" -O nkf-2.1.4.tar.gz
tar zxvf nkf-2.1.4.tar.gz
cd nkf-2.1.4/
sudo make && sudo make install
cd ..
rm -rf nkf-2.1.4
rm -f nkf-2.1.4.tar.gz
sudo ln -s /usr/local/bin/nkf /usr/bin/nkf

Automatic Time Sync and Update Settings

sudo yum -y install chrony

sudo vi /etc/chrony.conf

#------------------------------------
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
# In comments
# pool 2.amazon.pool.ntp.org iburst

# Add these
server ntp.nict.jp iburst
server ntp1.jst.mfeed.ad.jp iburst
server ntp2.jst.mfeed.ad.jp iburst
server ntp3.jst.mfeed.ad.jp iburst
#------------------------------------

sudo systemctl restart chronyd
sudo systemctl enable chronyd

#Check
sudo chronyc sources

mailx

Email environment often needed. Not pre-installed on AMI, so set it up for administrative use.
※sendmail[postfix] comes pre-installed

# Work as root
sudo su -

# mail command not available without module, so install it
yum install mailx

# Delete old root mail just in case
sed -i '/^root:/d' /etc/aliases

# Root mail forwarding
echo "root: hoge@hogetaro.com" >> /etc/aliases

# Apply changes
newaliases

# Test
echo testtaro | mail root

# Return to user
Exit

※AWS strictly manages email sending on port 25. High volume outbound email may get blocked. If that happens, go through the approval process.
Approval is required to set up a proper SMTP server.
https://forums.aws.amazon.com/thread.jspa?threadID=153660

telnet

Convenient utility. Install if desired.

sudo yum -y install telnet