X-Forwarded-For HTTP Module For IIS7, Source Included!
For those who of you that are having problems with logging client addresses in their server logs because you are running your web servers behind a proxy of some sort, never fear, your solution is here. For those that don't, I already discussed in my previous posts about what the X-Forwarded-For header is so feel free to click back into those to read about it.
History
Back in September, 2005 I wrote and posted a 32-bit ISAPI filter that extracted the X-Forwarded-For header value and replaced the c-ip value (client ip) that is stored in the server logs. Lots of folks have found this useful over time and I was eventually asked for a 64-bit version which I posted about in August, 2009.
The Question
Well, it looks like it's time for the next generation for this filter… I received an email from a colleague here at F5 telling me that his customer didn't want to deploy any more ISAPI filters in their IIS7 infrastructure. IIS7 introduced the concept of IIS Modules that are more integrated into the whole pipeline and was told that Microsoft is recommending folks move in that direction. I was asked if I had plans to port my ISAPI filter into a HTTP Module.
The Answer
Well, the answer was "probably not", but now it's changed to a "yes"!
The Solution
In reading about IIS Module, I found that you can develop in managed (C#/VB) or Native (C++) code. I loaded up the test C# project to see if I could get it working. In a matter of minutes I had a working module that intercepted the event when logging occurs. The only problem was that from managed code, I could find no way to actually modify the values that were passed to the logging processor. This was a problem so I scrapped that and moved to a native C++ module. After a little while of jumping through the documentation, I found the things I needed and pretty soon I had a working HTTP module that implemented the same functionality as the ISAPI filter.
Download
The new Http Module hasn't had much testing done so please test it out before you roll it out into production. I've made the source available as well if you find an issue and care to fix it. Just make sure you pass back the fixes to me B-).
The filter will require installation into IIS in order for you to be able to add it to your applications. Both distributions include a readme.txt file with an example installation procedure. Make sure you use the Release builds for the appropriate platform (x86 or x64) unless you are in need of some troubleshooting as the Debug build will dump a lot of data to a log file. The module supports customizable headers if you are using something other than X-Forwarded-For. Instructions for using that are in the readme.txt file as well.
If you have any issues with using this, please let me know on this blog. Keep in mind that this is an unsupported product, but I'll do my best to fix any issues that come up. I'm even open to enhancements if you can think of any.
Enjoy!
-Joe
- Kyle74Altocumulus
Hi Joe,
So we're having to use this in IIS 10 on Server 2016.
Our security team doesn't like the XFF and C-IP being separate, so I've been tasked with finding a way to merge the two, this looks like the answer.
However, on a test server, I'm not sure how to test this out and make sure it works.
I do have a custom log for the XFF field setup, not sure if that's messing with the module.
The server I'm working on is not behind the F5 and I can only connect to the host internally, though I'm using Fiddler to setup a proxy.
I'm not sure if the module is working or not.
Could you assist?
- spellingbNimbostratus
Hey i'm having the exact same issue. I tried installing for IIS 10 but get error
"The specified procedure could not be found." with a detailed error of 0000007F - "The specified procedure could not be found." discussed here https://blogs.msdn.microsoft.com/david.wang/2005/06/21/howto-diagnose-and-fix-common-isapi-filter-installation-failures/
From what I can tell, there looks to be something that needs updated in the DLL for IIS 10
any info on how to get this working in IIS 10 would be wonderful!!!
- RickMNimbostratus
@spellingb We are using it on windows 2016. we've been using it since windows 2008R2.
1 --installing both 64bit and 32bit modules
Put the 64-bit version in c:\program files\f5module. Put the 32-bit version in c:\program files (x86)\f5module.
echo ###loading the module to IIS
c:\windows\system32\inetsrv\appcmd.exe install module /name:F5XFFHttpModule /image:"%%ProgramFiles%%\F5module\F5XFFHttpModule.dll"
using %ProgramFiles% as the folder, whether your IIS app pool is 32-bit or 64-bit, it can get the correct 'bitness' module. The double percent signs %% are needed when this is in a .BAT or .CMD file.
2 -- your bigip *MUST* be inserting the x-forwarded-for header, enabled in the HTTP profile of the vip.
3 -- It only works for successful requests. On HTTP errors for example 404 or 500, it does not get a chance to run so the SNAT address is logged.