3

I have got a few web servers running and I want all of them to be accessible via one domain. I set up ARR in IIS as a reverse proxy in another server and it works fine. I, however, need the source ip address to be kept when the requests are redirected to the servers. Otherwise, the servers see all the connections to be originated from localhost, which isn't very good.

I know there is an option forwarded_for which creates X-Forwarded-For header, but it is not really transparent because I have WAF(Web Application Firewall) issue.

JohnnyLiao
  • 443
  • 2
  • 9
  • 18

3 Answers3

6

Edited:

You need a rewrite rule for each of your websites that are having traffic directed to them from the proxy server. The rule will check to see if the HTTP_X_FORWARDED_FOR header exists and has a value, if it does, then we know the request has been forwarded from the proxy server so we'll set the server variable REMOTE_ADDR to the value of HTTP_X_FORWARDED_FOR because we know that is the true IP address of the user.

Here's the rule:

<rule name="RewriteRemoteAddr">
    <match url="(.*)" />
    <conditions>
        <add input="{HTTP_X_FORWARDED_FOR}" pattern="([_0-9a-zA-Z]+)" />
    </conditions>
    <serverVariables>
        <set name="{REMOTE_ADDR}" value="{HTTP_X_FORWARDED_FOR}" />
    </serverVariables>
    <action type="None" />
</rule>
Tom Hall
  • 4,258
  • 2
  • 23
  • 23
  • I have multiple servers. I don't want to set variable HTTP_X_FORWARDED_FOR variable because it is non-standard request headers. – JohnnyLiao Oct 16 '13 at 10:47
  • You want your websites to see the users real IP addresses, but you don't want to have to look at HTTP_X_FORDWARDED_FOR, so the only option is to write an inbound rewrite rule to overwrite the REMOTE_ADDR server variable. I'll come back with a solution in a moment. – Tom Hall Oct 16 '13 at 10:54
  • One important piece missing from this is that you must add REMOTE_ADDR to the Allowed Server Variables list in IIS. Otherwise you will get a server 500 error when you add the rewrite rule. To add the variable, open IIS Manager, drill down to your website, double click URL Rewrite, click "View Server Variables..." in the Actions area on the right and click "Add...". You'll need to add each variable you want to set. – Mark May 06 '16 at 20:08
0

You can use the ARR Helper to get the actual Client-IP in your logs:

http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx

Brock Hensley
  • 3,617
  • 2
  • 29
  • 47
0

I'm testing this using the REMOTE_ADDR server variable as documented above but it's not acting as a fully transparent reverse proxy: i still can see as origin IP the reverse proxy one and as HTTP_X_FORWARDED_FOR the original one.

I'm exactly using the above instruction:

<set name="REMOTE_ADDR" value="{HTTP_X_FORWARDED_FOR}" replace="true" />
Regolith
  • 2,944
  • 9
  • 33
  • 50
Stefano D'Urso
  • 53
  • 2
  • 10