IIS X-Forward-For ISAPI Filter
A recent customer issue came up where they were load balancing servers but we unable to get the true client address logged in their IIS logs. They had their servers fronted by a BIG-IP and when clients would make requests the address passed to the server was the internal address and not that of the client.
This is a common issue with proxies and fortunately there is a standard for forwarding client information. It is the HTTP X-Forwarded-For header which is handled by most proxies. So, I set out to find an existing ISAPI filter to replace the c-ip (client ip) log value in IIS with the contents of the X-Forwarded-For header (if it exists). I was amazed to find that I couldn't find a single instance of any open source (or even commercial) filter that would do this.
So, I dug out Visual Studio and whipped up a filter that does just that. It's very basic and contains no user configuration so all you need to do is plug it into your Web Applications list of ISAPI Filters within the IIS Administration and you're set to go.
We've released the source under the iControl End User License Agreement (available in any iControl SDK download). You can download it here. If you find a way to optimize this filter, please let me know and I'll update the sources here.
After 24-hours of posting, a customer already returned some performance testing on the filter indicating that it only effected the traffic by less than 1 percent. I'm sure there are ways to optimize the memory allocation in the filter to speed this up a bit more, but I'll leave that for the community to work on.
Oh, and it should be noted that the X-Forwarded-For header isn't supported the same way across all proxy products so you'll want to make sure you test this out before using it. It is expecting the header to only contain an IP Address as it does a straight substitution on the value in the c-ip section of the log entry.
Enjoy!
-Joe
Published Sep 23, 2005
Version 1.0
- It's been quite a while since I posted that source and can't find the loading of the INI file in it. I'll have to dig through my dev machine to see if I still have it. I'll let you know.
-Joe - JRahm
Admin
All I get is a red Arrow pointing down and a status of unknown under IIS 6 32 bit. - That could be a lot of things. First, I would go to the directory where the dll is located with explorer and make sure that the IIS user has access to the file.
Otherwise, you can look into the evert viewer to see if there is information about the load error in there.
-Joe - JRahmall I see in the event log is
The HTTP Filter DLL C:\F5XForwardedFor\F5XForwardedFor2005\Release\F5XForwardedFor.dll failed to load. The data is the error.
I tried giving the IUSR user, the IIS_WPG, IIS Process account, and network service account permissions and it still has the downward red arrow. - I haven't looked at this for a few years now so I'm not sure I can help much (despite originally writing it). I'll try to get some time to install it on one of my dev systems and see if I can replicate the issue.
-Joe - There is no newer version as I haven't looked at this for years. The source should still be available if you want to recompile for yourself. The most likely issue of the dll not being able to be loaded is an issue with permissions. Select Properties on the .dll from explorer and give full control to all and see if it then loads.
-Joe - Hope that helps out!
-Joe - Instead of writing the X-Forwarded address to the log, how can you modify the remote addrr variable to get replaced with the x-forwarded ip.
- I just rebuilt and tested with Win2k8-x64 and IIS7 and it works like a champ. The link in my post is updated with the latest build.
-Joe - @Clive - Glad it worked out for you!
