X-Forwarded-For HTTP Module For IIS7, Source Included!
For those who of you that are having problems with logging client addresses in their server logs because you are running your web servers behind a proxy of some sort, never fear, your solution is here. For those that don't, I already discussed in my previous posts about what the X-Forwarded-For header is so feel free to click back into those to read about it.
History
Back in September, 2005 I wrote and posted a 32-bit ISAPI filter that extracted the X-Forwarded-For header value and replaced the c-ip value (client ip) that is stored in the server logs. Lots of folks have found this useful over time and I was eventually asked for a 64-bit version which I posted about in August, 2009.
The Question
Well, it looks like it's time for the next generation for this filter… I received an email from a colleague here at F5 telling me that his customer didn't want to deploy any more ISAPI filters in their IIS7 infrastructure. IIS7 introduced the concept of IIS Modules that are more integrated into the whole pipeline and was told that Microsoft is recommending folks move in that direction. I was asked if I had plans to port my ISAPI filter into a HTTP Module.
The Answer
Well, the answer was "probably not", but now it's changed to a "yes"!
The Solution
In reading about IIS Module, I found that you can develop in managed (C#/VB) or Native (C++) code. I loaded up the test C# project to see if I could get it working. In a matter of minutes I had a working module that intercepted the event when logging occurs. The only problem was that from managed code, I could find no way to actually modify the values that were passed to the logging processor. This was a problem so I scrapped that and moved to a native C++ module. After a little while of jumping through the documentation, I found the things I needed and pretty soon I had a working HTTP module that implemented the same functionality as the ISAPI filter.
Download
The new Http Module hasn't had much testing done so please test it out before you roll it out into production. I've made the source available as well if you find an issue and care to fix it. Just make sure you pass back the fixes to me B-).
The filter will require installation into IIS in order for you to be able to add it to your applications. Both distributions include a readme.txt file with an example installation procedure. Make sure you use the Release builds for the appropriate platform (x86 or x64) unless you are in need of some troubleshooting as the Debug build will dump a lot of data to a log file. The module supports customizable headers if you are using something other than X-Forwarded-For. Instructions for using that are in the readme.txt file as well.
If you have any issues with using this, please let me know on this blog. Keep in mind that this is an unsupported product, but I'll do my best to fix any issues that come up. I'm even open to enhancements if you can think of any.
Enjoy!
-Joe
Published Dec 23, 2009
Version 1.0
RickMNimbostratus
@spellingb We are using it on windows 2016. we've been using it since windows 2008R2.
1 --installing both 64bit and 32bit modules
Put the 64-bit version in c:\program files\f5module. Put the 32-bit version in c:\program files (x86)\f5module.
echo ###loading the module to IIS
c:\windows\system32\inetsrv\appcmd.exe install module /name:F5XFFHttpModule /image:"%%ProgramFiles%%\F5module\F5XFFHttpModule.dll"
using %ProgramFiles% as the folder, whether your IIS app pool is 32-bit or 64-bit, it can get the correct 'bitness' module. The double percent signs %% are needed when this is in a .BAT or .CMD file.
2 -- your bigip *MUST* be inserting the x-forwarded-for header, enabled in the HTTP profile of the vip.
3 -- It only works for successful requests. On HTTP errors for example 404 or 500, it does not get a chance to run so the SNAT address is logged.
spellingbHey i'm having the exact same issue. I tried installing for IIS 10 but get error
"The specified procedure could not be found." with a detailed error of 0000007F - "The specified procedure could not be found." discussed here https://blogs.msdn.microsoft.com/david.wang/2005/06/21/howto-diagnose-and-fix-common-isapi-filter-installation-failures/
From what I can tell, there looks to be something that needs updated in the DLL for IIS 10
any info on how to get this working in IIS 10 would be wonderful!!!
Kyle74Altocumulus
Hi Joe,
So we're having to use this in IIS 10 on Server 2016.
Our security team doesn't like the XFF and C-IP being separate, so I've been tasked with finding a way to merge the two, this looks like the answer.
However, on a test server, I'm not sure how to test this out and make sure it works.
I do have a custom log for the XFF field setup, not sure if that's messing with the module.
The server I'm working on is not behind the F5 and I can only connect to the host internally, though I'm using Fiddler to setup a proxy.
I'm not sure if the module is working or not.
Could you assist?
Russell_Buri_12I've tried this on IIS 8.5 and around 30% of the requests still show the F5 IP. Can someone confirm if there's a issue with this module or just with IIS 8.5? Others have reported similar issues without any response. Thanks.
- Stephen_Price_1
We have had to remove some SSL options (ciphers, key exchange, hashes) and the IIS service fails (503). The event logs show a list of errors all of which show a failure of the module. How does one remove the module?
- Carphunter_3490
was asked by an admin to try this on some of our IIS servers. It doesn't appear to be functioning (it's there and installed, but not affecting the logs).
is there a trick to the order the module loads to make it work?
- RickMworks with shared config, make sure file is in the right place on all farm members before you modify the IIS config
isavic_117478How to apply the same fix on application level, not just IIS (btw it works when I apply it bu in application logs I'm still seeing source IP as F5- aschaef_137607Joe, do you know if this works with IIS 8 on Windows Server 2012?
- josh_wiss_16008I have came across an odd issue with the module.
First i enabled X-forwarded on the F5
then i enabled Snat pool
then i installed the Module on an iis 7 build
When i get 200, 302, 500 responce the Client ip is listed correctly.
when i get a 400 responce the client ip shows up as the SNAT ip.
i installed netmon and the Xforwarded address is there and correct but it is not making it to the IIS logs.