How to Add an X-Forwarded-For Header and Configuring IIS Logging

 

The X-Forwarded-For (XFF) HTTP header field is a standard method for identifying the originating IP address of a client connecting to a server through the KEMP LoadMaster or any proxy.

The KEMP LoadMaster allows us to give the client's IP address to the destination Real Server by inserting the X-Forwarded-For header when L7 is used with non-transparency.

Inserting the X-Forwarded-For header allows the Real Server to log the client source IP address in its logs.

Adding the X-Forwarded-For header using the LoadMaster can be done either as a global setting or as a per-Virtual Service setting. Refer to the relevant section below for steps on how to add the header.

Note: The addition of the X-Forwarded-For header is only available for HTTP and HTTPS traffic with SSL Offloading.

 

Setting The Additional X-Forwarded-For Header Globally

In the main menu of the LoadMaster Web User Interface (WUI), select System Configuration > Miscellaneous Options >  L7 Configuration > Additional L7 HeaderX-Forwarded-For

 

Setting The Additional X-Forwarded-For Header Per Virtual Service

  1. In the main menu of the LoadMaster WUI, select Virtual Services > View/Modify Services.
  2. Click Modify on the relevant Virtual Service.
  3. Expand the Advanced Properties section.
  4. Add HTTP Headers > Select either X-Forwarded-For (No Via) or X-Forwarded-For (+ Via) option 

Configuring Custom IIS Logging Fields on Microsoft Server 2012 

In IIS 8.5 and later custom logging fields can be added to record X-Forwarded-For headers to record a client's source IP address when transparency is not being used.

 

Navigate to the site which will use X-Forwarded-For logging and click Logging and Open Feature.

xff--8.png

 

Click the Select Fields... option

xff--9.png

 

Click the Add Field... option.

Configure the fields as indicated below:

Field Name: X-Forwarded-For

Source type: Request Header

Source name: X-Forwarded-For (syntax important)

Click OK twice.

xff--10.png

 

Click Apply in the top right of the logging options page.

xff--11.png

 

Now generate some log traffic by navigating to the Virtual Service and hitting refresh a few times.

Go to the location of the advanced logfiles and open the newly created logfiles.

The default location is C:\inetpub\logs\LogFiles\W3SVC1.

xff--12.png

 

Configuring Apache logging fields

Apache

Need to change settings on the apache configuration file
“/etc/apache2/apache2.conf”

To log additional headers

For example

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{x-forwarded-for}i\"

\"%{Referer}i\" \"%{User-agent}i\"" combined

 

List below is from https://www.apacheviewer.com/log-format/

 

Log Format String

Name

Description

%h

host

IP Address of visitor

%l

logname

Empty in many cases

%u

user

Empty in many cases unless user is authenticated

%t

date & time

Date and time that the event occurred

\"%r\"

request

Request string

%>s

status

HTTP Status code

%b

size

HTTP Size

\"%{Referer}i\"

Referer

Referer host

\"%{User-agent}i\"

User agent header

Web browser or Bot identification

%a

host

IP Address

%h_p

host & port

IP Address and Port

\"%h\"

host

IP Address in quotes

%{x-forwarded-for}i

host

IP Address

\"%{x-forwarded-for}i\"

host

IP Address in quotes

%t_u

time

time in universal mode

%t_ctime

time

time in ctime format

%radd

 

Add to request header

in LogFormat string use it if you wish to concatenate different sections together eg
LogFormat "%r %h %radd %radd %s"

%B

size

Size in bytes

%I

Received

Bytes Received

%O

Sent

Bytes Sent

%S

Transferred

Bytes Transferred

%V

Virtual Host

 

%v

Virtual Host

 

%T

Time Taken

Time Taken

%D

Time Taken

Time Taken in milliseconds

%T/%D

Time Taken

Time Taken and Time Taken in ms

%rh

Remote Host

Remote Host (IP Address)

 

Logs can be read from one of these locations, again depending on OS

 

“/var/log/httpd/access.log”

“/var/log/apache/access.log”

“/var/log/apache2/access.log”

Loadmaster X-Forward Setup

 

Wireshark Trace / TCPdump

 

Client address                   193.167.86.166                                 

LM address                         172.31.47.13

Real server address         34.243.74.139

mceclip1.png

Legacy Operation(X-Forwarded-For)

mceclip3.png

None

mceclip4.png

X-ClientSide (+Via)

mceclip5.png

X-ClientSide (No Via)

mceclip6.png

X-Forward-For (+ Via)

mceclip7.png

X-Forward-For (No Via)

mceclip8.png

Via Only

mceclip9.png

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments