How to Add an X-Forwarded-For Header and Configure IIS Logging

The X-Forwarded-For (XFF) HTTP header field is a standard method for identifying the originating IP address of a client connecting to a server through the Kemp LoadMaster or any proxy.

The Kemp LoadMaster allows us to give the client's IP address to the destination Real Server by inserting the X-Forwarded-For header when Layer7 is used with non-transparency.

Inserting the X-Forwarded-For header allows the Real Server to log the client source IP address in its logs.

Adding the X-Forwarded-For header using the LoadMaster can be done either as a global setting or as a per-Virtual Service setting. Refer to the relevant section below for steps on how to add the header.

Note: The addition of the X-Forwarded-For header is only available for HTTP and HTTPS traffic with SSL Offloading.

 

Setting The Additional X-Forwarded-For Header Globally

In the main menu of the LoadMaster User Interface (UI), select System Configuration > Miscellaneous Options >  L7 Configuration > Additional L7 HeaderX-Forwarded-For.

 

Setting The Additional X-Forwarded-For Header Per Virtual Service

  1. In the main menu of the LoadMaster WUI, select Virtual Services > View/Modify Services.
  2. Click Modify on the relevant Virtual Service.
  3. Expand the Advanced Properties section.
  4. In the Add HTTP Headers drop-down list, select either X-Forwarded-For (No Via) or X-Forwarded-For (+ Via).

 

Configuring Custom IIS Logging Fields on Microsoft Server 2012 

In IIS 8.5 and later, custom logging fields can be added to record X-Forwarded-For headers to record a client's source IP address when transparency is not being used.

 

Navigate to the site which will use X-Forwarded-For logging and click Logging and Open Feature.

xff--8.png

 

Click the Select Fields... option

xff--9.png

 

Click the Add Field... option.

Configure the fields as indicated below:

Field Name: X-Forwarded-For

Source type: Request Header

Source name: X-Forwarded-For (syntax important)

Click OK twice.

xff--10.png

 

Click Apply in the top-right of the logging options page.

xff--11.png

 

Now, generate some log traffic by navigating to the Virtual Service and hitting refresh a few times.

Go to the location of the advanced logfiles and open the newly created logfiles.

The default location is C:\inetpub\logs\LogFiles\W3SVC1.

xff--12.png

 

Configuring Apache logging fields

Apache

You must change the settings on the Apache configuration file:

“/etc/apache2/apache2.conf”

To log additional headers. For example:

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{x-forwarded-for}i\"

\"%{Referer}i\" \"%{User-agent}i\"" combined

 

List below is from https://www.apacheviewer.com/log-format/.

 

Log Format String

Name

Description

%h

host

IP address of visitor

%l

logname

Empty in many cases

%u

user

Empty in many cases unless user is authenticated

%t

date & time

Date and time that the event occurred

\"%r\"

request

Request string

%>s

status

HTTP status code

%b

size

HTTP size

\"%{Referer}i\"

Referer

Referer host

\"%{User-agent}i\"

User agent header

Web browser or bot identification

%a

host

IP address

%h_p

host & port

IP address and port

\"%h\"

host

IP address in quotes

%{x-forwarded-for}i

host

IP address

\"%{x-forwarded-for}i\"

host

IP address in quotes

%t_u

time

Time in universal mode

%t_ctime

time

Time in ctime format

%radd

 

Add to request header

In LogFormat string use it if you wish to concatenate different sections together, for example:
LogFormat "%r %h %radd %radd %s"

%B

size

Size in bytes

%I

Received

Bytes Received

%O

Sent

Bytes Sent

%S

Transferred

Bytes Transferred

%V

Virtual Host

 

%v

Virtual Host

 

%T

Time Taken

Time taken

%D

Time Taken

Time taken in milliseconds (ms)

%T/%D

Time Taken

Time taken and time taken in ms

%rh

Remote Host

Remote host (IP address)

 

Logs can be read from one of these locations, depending on the Operating System (OS).

 

“/var/log/httpd/access.log”

“/var/log/apache/access.log”

“/var/log/apache2/access.log”

LoadMaster X-Forward Setup

 

Wireshark Trace / TCPdump

 

Client address                   193.167.86.166                                 

LoadMaster address         172.31.47.13

Real server address          34.243.74.139

mceclip1.png

Legacy Operation(X-Forwarded-For)

mceclip3.png

None

mceclip4.png

X-ClientSide (+Via)

mceclip5.png

X-ClientSide (No Via)

mceclip6.png

X-Forward-For (+ Via)

mceclip7.png

X-Forward-For (No Via)

mceclip8.png

Via Only

mceclip9.png

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments