How to Add an X-Forwarded-For Header and Configure IIS Logging
The X-Forwarded-For (XFF) HTTP header field is a standard method for identifying the originating IP address of a client connecting to a server through the Kemp LoadMaster or any proxy.
The Kemp LoadMaster allows us to give the client's IP address to the destination Real Server by inserting the X-Forwarded-For header when Layer7 is used with non-transparency.
Inserting the X-Forwarded-For header allows the Real Server to log the client source IP address in its logs.
Adding the X-Forwarded-For header using the LoadMaster can be done either as a global setting or as a per-Virtual Service setting. Refer to the relevant section below for steps on how to add the header.
Note: The addition of the X-Forwarded-For header is only available for HTTP and HTTPS traffic with SSL Offloading.
Setting The Additional X-Forwarded-For Header Globally
In the main menu of the LoadMaster User Interface (UI), select System Configuration > Miscellaneous Options > L7 Configuration > Additional L7 Header > X-Forwarded-For.
Setting The Additional X-Forwarded-For Header Per Virtual Service
- In the main menu of the LoadMaster WUI, select Virtual Services > View/Modify Services.
- Click Modify on the relevant Virtual Service.
- Expand the Advanced Properties section.
- In the Add HTTP Headers drop-down list, select either X-Forwarded-For (No Via) or X-Forwarded-For (+ Via).
Configuring Custom IIS Logging Fields on Microsoft Server 2012
In IIS 8.5 and later, custom logging fields can be added to record X-Forwarded-For headers to record a client's source IP address when transparency is not being used.
Navigate to the site which will use X-Forwarded-For logging and click Logging and Open Feature.
Click the Select Fields... option
Click the Add Field... option.
Configure the fields as indicated below:
Field Name: X-Forwarded-For
Source type: Request Header
Source name: X-Forwarded-For (syntax important)
Click OK twice.
Click Apply in the top-right of the logging options page.
Now, generate some log traffic by navigating to the Virtual Service and hitting refresh a few times.
Go to the location of the advanced logfiles and open the newly created logfiles.
The default location is C:\inetpub\logs\LogFiles\W3SVC1.
Configuring Apache logging fields
Apache
You must change the settings on the Apache configuration file:
“/etc/apache2/apache2.conf”
To log additional headers. For example:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{x-forwarded-for}i\"
\"%{Referer}i\" \"%{User-agent}i\"" combined
List below is from https://www.apacheviewer.com/log-format/.
Log Format String |
Name |
Description |
%h |
host |
IP address of visitor |
%l |
logname |
Empty in many cases |
%u |
user |
Empty in many cases unless user is authenticated |
%t |
date & time |
Date and time that the event occurred |
\"%r\" |
request |
Request string |
%>s |
status |
HTTP status code |
%b |
size |
HTTP size |
\"%{Referer}i\" |
Referer |
Referer host |
\"%{User-agent}i\" |
User agent header |
Web browser or bot identification |
%a |
host |
IP address |
%h_p |
host & port |
IP address and port |
\"%h\" |
host |
IP address in quotes |
%{x-forwarded-for}i |
host |
IP address |
\"%{x-forwarded-for}i\" |
host |
IP address in quotes |
%t_u |
time |
Time in universal mode |
%t_ctime |
time |
Time in ctime format |
%radd |
Add to request header |
|
%B |
size |
Size in bytes |
%I |
Received |
Bytes Received |
%O |
Sent |
Bytes Sent |
%S |
Transferred |
Bytes Transferred |
%V |
Virtual Host |
|
%v |
Virtual Host |
|
%T |
Time Taken |
Time taken |
%D |
Time Taken |
Time taken in milliseconds (ms) |
%T/%D |
Time Taken |
Time taken and time taken in ms |
%rh |
Remote Host |
Remote host (IP address) |
Logs can be read from one of these locations, depending on the Operating System (OS).
“/var/log/httpd/access.log”
“/var/log/apache/access.log”
“/var/log/apache2/access.log”
LoadMaster X-Forward Setup
Wireshark Trace / TCPdump
Client address 193.167.86.166
LoadMaster address 172.31.47.13
Real server address 34.243.74.139
Legacy Operation(X-Forwarded-For)
None
X-ClientSide (+Via)
X-ClientSide (No Via)
X-Forward-For (+ Via)
X-Forward-For (No Via)
Via Only