| By Joe Pruitt | Article Rating: |
|
| August 20, 2009 11:30 AM EDT | Reads: |
168 |
For those that don't know what X-Forwarded-For is, then you might as well close your browser because this post likely will mean nothing to you…
A Little Background
Now, if you are still reading this, then you likely are having issues with determining the origin client connections to your web servers. When web requests are passed through proxies, load balancers, application delivery controllers, etc, the client no longer has a direct connection with the destination server and all traffic looks like it's coming from the last server in the chain. In the following diagram, Proxy2 is the last hop in the chain before the request hits the destination server. Relying on connection information alone, the server thinks that all connections come from Proxy2, not from the Client that initiated the connection.
The only one in the chain here who knows who the client really is (as determined by it's client IP Address, is Proxy1. The problem is that application owners rely on source client information for many reasons ranging from analyzing client demographics to targeting Denial of Service attacks.
That's where the X-Forwarded-For header comes in. It is non-RFC standard HTTP request header that is used for identifying the originating IP address of a client connecting to a web server through a proxy. The format of the header is:
X-Forwarded-For: client, proxy1, proxy, …
X-Forwarded-For header logging is supported in Apache (with mod_proxy) but Microsoft IIS does not have a direct way to support the translation of the X-Forwarded-For value into the client ip (c-ip) header value used in its webserver logging.
Back in September, 2005 I wrote an ISAPI filter that can be installed within IIS to perform this transition. This was primarily for F5 customers but I figured that I might as well release it into the wild as others would find value out of it.
Recently folks have asked for 64 bit versions (especially with the release of Windows 2008 Server). This gave me the opportunity to brush up on my C skills. In addition to building targets for 64 bit windows, I went ahead and added a few new features that have been asked for.
Proxy Chain Support
The original implementation did not correctly parse the "client, proxy1, proxy2,…" format and assumed that there was a single IP address following the X-Forwarded-For header. I've added code to tokenize the values and strip out all but the first token in the comma delimited chain for inclusion in the logs.
Header Name Override
Others have asked to be able to change the header name that the filter looked for from "X-Forwarded-For" to some customized value. In some cases they were using the X-Forwarded-For header for another reason and wanted to use iRules to create a new header that was to be used in the logs. I implemented this by adding a configuration file option for the filter. The filter will look for a file named F5XForwardedFor.ini in the same directory as the filter with the following format:
[SETTINGS]
HEADER=Alternate-Header-Name
The value of "Alternate-Header-Name" can be changed to whatever header you would like to use.
Download
I've updated the original distribution file so that folks hitting my previous blog post would get the updates. The following zip file includes 32 and 64 bit release versions of the F5XForwardedFor.dll that you can install under IIS6 or IIS7.
Installation
Follow these steps to install the filter.
- Download and unzip the F5XForwardedFor.zip distribution.
- Copy the F5XForwardedFor.dll file from the x86\Release or x64\Release directory (depending on your platform) into a target directory on your system. Let's say C:\ISAPIFilters.
- Ensure that the containing directory and the F5XForwardedFor.dll file have read permissions by the IIS process. It's easiest to just give full read access to everyone.
- Open the IIS Admin utility and navigate to the web server you would like to apply it to.
- For IIS6, Right click on your web server and select Properties. Then select the "ISAPI Filters" tab. From there click the "Add" button and enter "F5XForwardedFor" for the Name and the path to the file "c:\ISAPIFilters\F5XForwardedFor.dll" to the Executable field and click OK enough times to exit the property dialogs. At this point the filter should be working for you. You can go back into the property dialog to determine whether the filter is active or an error occurred.
- For II7, you'll want to select your website and then double click on the "ISAPI Filters" icon that shows up in the Features View. In the Actions Pane on the right select the "Add" link and enter "F5XForwardedFor" for the name and "C:\ISAPIFilters\F5XForwardedFor.dll" for the Executable. Click OK and you are set to go.
I'd love to hear feedback on this and if there are any other feature request, I'm wide open to suggestions. The source code is included in the download distribution so if you make any changes yourself, let me know!
Good luck and happy filtering!
-Joe
Read the original blog entry...
Published August 20, 2009 Reads 168
Copyright © 2009 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By Joe Pruitt
Joe Pruitt is a Sr. Strategic Architect at F5 Networks working with Network and Software Architects to allow them to build network intelligence into their applications.
- SOA in the Cloud - Monitoring and Management for Reliability
- 1st Annual Government IT Expo: Call for Papers Deadline July 15
- An Interview with Federal CIO Nominee Vivek Kundra
- Cloud Computing Bootcamp Returns to Silicon Valley
- Google Wave Is Much Better Than Twitter
- An A to Z of the Social Media Landscape: A to G
- 1st Annual Government IT Conference & Expo: Letter from the Technical Chair
- Google Announces Chrome Operating System
- IBM Adds to its Cloud Repertoire
- Practical Approaches for Optimizing Website Performance
- SOA in the Cloud - Monitoring and Management for Reliability
- Oracle-Sun: Jonathan Schwartz Writes His Toughest Ever Email
- 1st Annual Government IT Expo: Call for Papers Deadline July 15
- Building Private and Hybrid Clouds with Ubuntu 9.04
- Ulitzer Responds to Published Reports
- An Interview with Federal CIO Nominee Vivek Kundra
- Google App Engine Learns to Speak Java
- i(Phone) Have My Data Here, Now I Want It There...What's the Problem?
- Kevin L. Jackson Launches "Government Cloud Computing Journal" on Ulitzer
- The Darker Sides Of Cloud Computing: Security and Availability
- Personal Branding Checklist
- Open Web Developer Summit to Take Place April 21-22, 2008 in New York City
- Wal-Mart To Sell $399 Ubuntu Linux-based Laptop with Google Operating System
- Google's OpenSocial: A Technical Overview and Critique
- Web 2.0 Is Dead And It's Time To Get Out Of This Mess!
- Why Microsoft Loves Google's Android
- i-Technology Blog: Google Trends on Java, McNealy, AJAX, and SOA Give Pause For Thought
- Android: Who Hates Google Over the Phone?
- Google Sales Surge 57% and Net Income 46% in Quarter 3
- i-Technology Blog: Is There Life Beyond Google?
































