Nov 9, 2017

How to log X-Forwarded-For events in IIS 8.5+ and in Apache

At my day job, we use a cloud based content delivery service called Incapsula that also acts as a cloud based load balancer. Like just about every load balancing solution, when traffic finally hits your web server, the only IP addresses you see are usually that of the load balancer. The same holds true with Incapsula.

Well, the other day I was asked to identify certain traffic by IP address, and I couldn't. The logs only showed that of Incapsula. I asked Incapsula for their logs so I could correlate, but they only keep security related logs due to PCI compliance, which is understandable. That meant that I needed a way to log X-Forwarded-For header information going forward.

If you are not familiar with X-Forwarded-For, according to Wikipedia:
The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
Makes sense right? Well, the good news is that both Apache and IIS (8.5 and above) support logging X-Forwarded-For natively with some slight modifications.

For IIS:
  • In IIS Manager, click the server name in the left panel to go to the Home screen
  • Click on Logging
  • Click on the Select Fields button
  • Click on the Add Field button
  • In the Field Name box enter x-forwarded-for
  • Leave Source Type set to Request Header
  • In the Source box enter X-Forwarded-For
  • Click OK
  • Click OK again
  • In the upper right of the Logging page click Apply
  • Restart IIS
Your logs will now be appended with _x to show that the logs contain custom fields. You can also follow this same process at the site level if you want. The above example makes the change global for all sites on the server.

For Apache (In Ubuntu):
  • Edit /etc/apache2/apache2.conf
  • Find the line that says
    LogFormat “%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  • Change it to
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  • Restart Apache

Simple right? Now you will be able to see actual client IP's in your logs!

Did this post help you? Let us know in the comments!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam