1

Question summary:

Does URL Rewrite / Application Request Routing within IIS mean that the cs-host field no longer logs the request hostname and instead logs the target server ip & port? If so, how can I log the hostname in my IIS logs?

Question detail:

I have a multi-tenant application hosted on several IIS servers and until now haven't been logging cs-host field. I selected cs-host in the W3C Logging Fields dialog and was then surprised to see my server IP address and port logged instead of the requested hostname :-(

My guess is that it's something to do with me using URL Rewrite / ARR. This is how I use URL Rewrite:

  • Tenants each have their own subdomain, like atenant.mycoolapp.com
  • All subdomains point to the IP address of my main IIS server, let's call it 10.52.123.40
  • Binding on one WebSite on that server is for *.mycoolapp.com, so all requests go to that WebSite
  • URL Rewrite is configured on that WebSite so that different URL paths are rewritten to different WebSites, some on the same server and some on other IIS servers. e.g. here's one rule that rewrites all the urls with path starting 'api/account/' to a different IIS server, let's call it IP 10.52.123.45:
Input: URL path after '/'
Match: Matches
Pattern: ^api/account/(.*)
Action Type: Rewrite
Action URL: https://10.52.123.45:1200/api/account/{R:1}
  • All rules have 'Log rewritten URL' ticked, but un-ticking it doesn't change anything.

The server IP address & port that is logged is the re-written one, i.e. the server & IP that actually hosts the code that processes the request & generates the response.

I've turned on cs-host logging on both the WebSite that receives the initial request and the WebSites that receive the rewritten request. Both of them contain the IP & port instead of the hostname in the cs-host field.

Here's an example line from my IIS log file (I've replaced the IP addresses) from the main WebSite. I get the same sort of thing in the other WebSite logs too (i.e. server IP & port instead of hostname in cs-host).

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2020-09-30 00:00:00
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes time-taken
2020-09-30 00:00:04 10.52.123.40 GET /api/admin/system/users/admin - 443 - 12.34.56.100 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://atenant.mycoolapp.com/ 10.52.123.45:1200 200 0 0 770 46

So my questions are: is it URL Rewrite / ARR that's doing this, and if so how can I log the requested hostname?

Rory
  • 482
  • 5
  • 12
  • 22
  • 1
    https://serverfault.com/questions/936922/setting-up-iis-reverse-proxy-to-preserve-host-headers – Lex Li Oct 02 '20 at 19:41
  • Ah, that looks very useful, many thanks! Still doesn't make sense to me that IIS logs the rewritten host, but I'll try changing that setting and see if it sorts things out. – Rory Oct 03 '20 at 09:10

1 Answers1

0

Thanks to @LexLi for pointing me to Setting up IIS reverse proxy to preserve host headers. If I set system.webServer/proxy.preserveHostHeader=True then the requested host is logged in both the ARR server and in the other IIS servers.

I still think it's odd that the rewritten hostname is logged on the server with ARR if I don't have that setting to True, but the solution is good enough for me.

Rory
  • 482
  • 5
  • 12
  • 22
  • No. It is not odd at all. If possible, use a tool like Wireshark to capture the HTTP requests in and out of the ARR server, and you should easily see the Host header changes when that `preserveHostHeader` flag flips. IIS log entries come from the request bodies. – Lex Li Oct 03 '20 at 14:32
  • I get that the host header changes, I just expected that what goes in the IIS log entries on the ARR server would be the request as it hit the server, not the request after rule processing. But clearly I was wrong :) Clearly log entries are made after the response is completed, since there's timing info, so perhaps it does make most sense. If I didn't want `preserveHostHeader=True` then it'd be annoying if there's no way to log the requested host, but fortunately I'm fine with `preserveHostHeader=True`. – Rory Oct 03 '20 at 19:19
  • "I just expected that what goes in the IIS log entries on the ARR server would be the request as it hit the server". But that's exactly what IIS does. – Lex Li Oct 03 '20 at 19:35
  • But that’s the point of my question: what’s logged in cs-host on the ARR server is the *rewritten* host, which in my case is just the IP and port of another server that’ll handle the request. Which means I lose the requested host name. If I set preserveHostHeader=True then cs-host has the original host. – Rory Oct 03 '20 at 20:03