X-Forwarded-For Log Filter for Windows Servers

DevCentral > Weblogs > Joe Pruitt - A Software Architect's take on Network Security

X-Forwarded-For Log Filter for Windows Servers

posted on Wednesday, August 19, 2009 11:16 AM

For those that don't know what X-Forwarded-For is, then you might as well close your browser because this post likely will mean nothing to you…

A Little Background

Now, if you are still reading this, then you likely are having issues with determining the origin client connections to your web servers. When web requests are passed through proxies, load balancers, application delivery controllers, etc, the client no longer has a direct connection with the destination server and all traffic looks like it's coming from the last server in the chain. In the following diagram, Proxy2 is the last hop in the chain before the request hits the destination server. Relying on connection information alone, the server thinks that all connections come from Proxy2, not from the Client that initiated the connection.

The only one in the chain here who knows who the client really is (as determined by it's client IP Address, is Proxy1. The problem is that application owners rely on source client information for many reasons ranging from analyzing client demographics to targeting Denial of Service attacks.

That's where the X-Forwarded-For header comes in. It is non-RFC standard HTTP request header that is used for identifying the originating IP address of a client connecting to a web server through a proxy. The format of the header is:

X-Forwarded-For: client, proxy1, proxy, …

X-Forwarded-For header logging is supported in Apache (with mod_proxy) but Microsoft IIS does not have a direct way to support the translation of the X-Forwarded-For value into the client ip (c-ip) header value used in its webserver logging.

Back in September, 2005 I wrote an ISAPI filter that can be installed within IIS to perform this transition. This was primarily for F5 customers but I figured that I might as well release it into the wild as others would find value out of it.

Recently folks have asked for 64 bit versions (especially with the release of Windows 2008 Server). This gave me the opportunity to brush up on my C skills. In addition to building targets for 64 bit windows, I went ahead and added a few new features that have been asked for.

Proxy Chain Support

The original implementation did not correctly parse the "client, proxy1, proxy2,…" format and assumed that there was a single IP address following the X-Forwarded-For header. I've added code to tokenize the values and strip out all but the first token in the comma delimited chain for inclusion in the logs.

Header Name Override

Others have asked to be able to change the header name that the filter looked for from "X-Forwarded-For" to some customized value. In some cases they were using the X-Forwarded-For header for another reason and wanted to use iRules to create a new header that was to be used in the logs. I implemented this by adding a configuration file option for the filter. The filter will look for a file named F5XForwardedFor.ini in the same directory as the filter with the following format:

[SETTINGS]
HEADER=Alternate-Header-Name

The value of "Alternate-Header-Name" can be changed to whatever header you would like to use.

Download

I've updated the original distribution file so that folks hitting my previous blog post would get the updates. The following zip file includes 32 and 64 bit release versions of the F5XForwardedFor.dll that you can install under IIS6 or IIS7.Installation

Follow these steps to install the filter.

Download and unzip the F5XForwardedFor.zip distribution.
Copy the F5XForwardedFor.dll file from the x86\Release or x64\Release directory (depending on your platform) into a target directory on your system. Let's say C:\ISAPIFilters.
Ensure that the containing directory and the F5XForwardedFor.dll file have read permissions by the IIS process. It's easiest to just give full read access to everyone.
Open the IIS Admin utility and navigate to the web server you would like to apply it to.
For IIS6, Right click on your web server and select Properties. Then select the "ISAPI Filters" tab. From there click the "Add" button and enter "F5XForwardedFor" for the Name and the path to the file "c:\ISAPIFilters\F5XForwardedFor.dll" to the Executable field and click OK enough times to exit the property dialogs. At this point the filter should be working for you. You can go back into the property dialog to determine whether the filter is active or an error occurred.
For II7, you'll want to select your website and then double click on the "ISAPI Filters" icon that shows up in the Features View. In the Actions Pane on the right select the "Add" link and enter "F5XForwardedFor" for the name and "C:\ISAPIFilters\F5XForwardedFor.dll" for the Executable. Click OK and you are set to go.

I'd love to hear feedback on this and if there are any other feature request, I'm wide open to suggestions. The source code is included in the download distribution so if you make any changes yourself, let me know!

Good luck and happy filtering!

-Joe

Technorati Tags: F5,DevCentral,X-Forwarded-For,Proxy,IIS,IIS7,Windows,Win64,Joe Pruitt

Feedback

8/19/2009 10:38 PM
		Thanks for sharing. This is a common topic that comes up when I converse w/ customers about their approach to site analytics. Any licensing restrictions on the usage of the DLLs?
Catherine Liao

8/19/2009 11:40 PM
		No, I think the thanks go to you Catherine for linking on your appgirl.net blog. There are absolutely no licensing restrictions on the filter. I've provided the filter along with the source AS-IS so use it to your hearts content. The only thing I ask is that you don't blame me if something goes wrong B-).
Joe Pruitt

8/23/2009 4:00 AM
		Huge thanks!
Grzegorz

9/1/2009 8:04 AM
		Thanks a lot, this is coming in very handy!
Ernest Mueller

9/2/2009 7:41 AM
		Has anyone used this new filter with IIS 5? I cannot seem to make it work on IIS 5 and I cannot find the old one here.
Stephen Brown

11/16/2009 4:22 PM
		Hello: This is an amazing piece of work. It solves one of the biggest problems that clients have with SNATs. Also it is very light weight and makes no impact to performance, atleast in my case. Appreciate the good work!!
Chenna

11/16/2009 11:04 PM
		Thanks Chenna, glad it's working out for you! -Joe
Joe Pruitt

11/17/2009 12:13 PM
		Hi there. We have run into an issue with analytics after putting a the front end servers in our SharePoint farm behind an F5. Since then our web logs have not showed the true client IP address, which has caused an issue for our marketing department with analytics. I followed your instructions to install the ISAPI on our servers, and everything shows green like it is working but the logs are still displaying the IP of the F5 instead of the clients. Is there anything else that needs to be done in order for this to work? Thanks for any assistance.
Tray Harrison

11/17/2009 1:28 PM
		Sorry Joe, I meant to add....does something need to be enabled on the F5 in order for this to work? I'm just the web server guy, so if something needs to be enabled on the network device then I'll need to let that team know. Thanks again!
Tray Harrison

11/17/2009 2:07 PM
		Hey Tray, you will need to make sure that you have the X-Forwarded-For header passed through. The filter will look for the existence of that header and then replace the "c-ip" IIS log value with that supplied HTTP header. Depending on the version of BIG-IP you are using, this should be an option in the virtual server. If not, then you'll have to write an iRule to inject that header. Let me know if you need to go that route and I'll help you out. -Joe
Joe Pruitt

11/17/2009 3:00 PM
		@Stephen - There is nothing IIS specific in the filter so I don't know why it wouldn't work with IIS5. It's just a Win32 .dll with a few exported functions. In the latest build I put up I've compiled 32 and 64 bit versions but that's the only difference. I've seen some situations where file system permissions cause the filter to not be able to be loaded. What issue are you having? -Joe
Joe Pruitt

11/23/2009 9:18 AM
		Joe, Any chance this will eventually move from an ISAPI filter to an IIS module for IIS7/7.5? I ask because we are eliminating ISAPI plug-ins on our Windows 2008/R2 farms based in part on this guidance: mvolo.com/.../...elopment-is-better-with-IIS7.aspx
EDF

11/23/2009 9:57 AM
		I'll take a look. In the meantime, the source is available if anyone wants to take a stab at it. -Joe
Joe

11/23/2009 9:58 AM
		Joe, Any idea if there are issues when IIS7 is in "integrated pipeline mode"? I've had reports there are issues with ISAPI filters and this mode option.
Wes Robertson

11/23/2009 10:06 AM
		No clue Wes. Maybe going the module route will avoid those issues. If anyone sees issues with the XFF filter and IIS7 Integrated pipeline mode, let me know... -Joe
Joe

11/30/2009 8:11 PM
		Tested the 64 bit version with IIS7 in integrated pipeline mode, works fine.
Wes Robertson

12/23/2009 1:00 PM
		X-Forwarded-For HTTP Module For IIS7, Source Included!
Joe Pruitt

12/27/2009 12:54 AM
		Thanks, I would like to test it soon.
slomah

12/2/2009 10:21 AM
		For those interested, be on the lookout soon for a native IIS XFF module. Working on packaging right now.
Joe

12/9/2009 11:16 AM
		For those interested, I've got a native IIS7 Http Module that implements the features of the X-Forwareded-For ISAPI filter. Contact me directly at Joe -at- F5 dot com and I'll send you the bits to test out. -Joe
Joe

2/2/2010 2:25 PM
		Will this work with SSL connections? We have BigIP in front of Exchange 2007 OWA/CAS which requires SSL so we are not terminating the cert on the BigIP, we are passing traffic through and the cert is on the CAS. I have the older version of the ISAPI filter installed but its still reporting the proxy's IP.
Sandy

2/4/2010 5:05 PM
		This will work as long as the X-Forwarded-For header is passed through to the web server. Since you aren't terminating SSL connections on the BIG-IP, you can't inject it there. -Joe
Joe

3/3/2010 1:56 PM
		I have the old version running for some time successfully. I installed the newer version because I want to use an alternate header. but the newer version does not write any ip info (no +...) in the log file. this is even without a ini file custom header. mendel P.S. my apologies if this is a double post, but I did not get any indication that my post attempt was successful.
mendel

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 5 and 4 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		374		Comments		858
Stories		1		Trackbacks		289

	Tag Cloud
	.NET ABCs BIG-IP DevCentral F5 Google iControl iRules Japan Joe Pruitt Microsoft Networking Networking ABCs PowerShell PowerShell ABCs Presidents of the United States Pruitt PUSA Social Media ABCs Sumo The Encrypted Packets Tokyo Twitter Unix Unix2PowerShell more tags...

Post Categories

		iControl
		WS-I
		BIG-IP
		Misc
		DevCentral
		F5
		iRules
		Conferences
		MIX06
		PDC
		Development and General
		Monitoring/Management
		XML
		Security
		ISV Solutions
		Microsoft Solutions
		Cloud Computing

Article Categories

Archives

		December, 2009 (1)
		October, 2009 (1)
		September, 2009 (2)
		August, 2009 (5)
		June, 2009 (4)
		May, 2009 (6)
		April, 2009 (13)
		March, 2009 (2)
		February, 2009 (6)
		January, 2009 (16)
		December, 2008 (14)
		November, 2008 (7)
		October, 2008 (17)
		September, 2008 (22)
		August, 2008 (5)
		July, 2008 (2)
		June, 2008 (3)
		May, 2008 (14)
		April, 2008 (17)
		March, 2008 (5)
		February, 2008 (3)
		January, 2008 (4)
		November, 2007 (4)
		September, 2007 (5)
		August, 2007 (2)
		July, 2007 (3)
		June, 2007 (2)
		May, 2007 (3)
		April, 2007 (3)
		January, 2007 (1)
		November, 2006 (2)
		October, 2006 (4)
		September, 2006 (4)
		August, 2006 (6)
		July, 2006 (2)
		June, 2006 (3)
		May, 2006 (4)
		April, 2006 (4)
		March, 2006 (9)
		February, 2006 (5)
		January, 2006 (7)
		December, 2005 (3)
		November, 2005 (4)
		October, 2005 (6)
		September, 2005 (7)
		August, 2005 (6)
		July, 2005 (18)
		June, 2005 (7)
		May, 2005 (7)
		April, 2005 (5)
		March, 2005 (3)
		February, 2005 (10)
		January, 2005 (4)
		December, 2004 (8)
		November, 2004 (15)
		October, 2004 (8)
		September, 2004 (5)
		August, 2004 (2)
		June, 2004 (1)
		April, 2004 (2)
		March, 2004 (3)
		January, 2004 (2)
		November, 2003 (4)
		October, 2003 (2)

Image Galleries

BlogRoll

		[f5] Colin Walker
		[f5] Dan Matte
		[f5] DCTV
		[f5] Jeff Browning
		[f5] Lori Mac Vittie
		Art Through RSS
		Becky Diaz
		C# FAQ
		Don Box
		Dylan Greene
		Engadget
		Hack-A-Day
		KungfuRobots.com
		MSDN Powertoys
		Nicholas Zurfluh (iRules)
		Robert Scoble
		Rory Blyth
		Scott Hanselman
		Slashdot
		SOAP::Lite
		The Darth Side
		WebServices.org

Current Reading

Buy from SnowCovered!

Internet Security Blog Directory

Copyright 1996 - 2007 F5 Networks, Inc. | Privacy Statement | Terms Of Use