2 May 03:42
Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?
From: Russ Lavoy <ussray_00 <at> yahoo.com>
Subject: Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-02 01:42:15 GMT
Subject: Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-02 01:42:15 GMT
In the Linux world and my current configuration, I use
mod_extract_forwarded2 to get the "X-Forwarded-For"
header before Apache AND before modsecurity.
If my memory serves me right there is a
mod_extract_forward module for the Windows version of
Apache... (Not sure about IIS though).
If you are running something older than 2.1.4 you will
also need to re-compile modsecurity and change the
following line in mod_security2.c.... Whatever module
you chose to use make sure it is somewhere in the
below constant.
static const char *postread_beforeme_list[] = {
"mod_rpaf.c",
"mod_extract_forwarded2.c",
"mod_breach_realip.c",
"mod_breach_trans.c",
"mod_unique_id.c",
NULL
Good luck...
Russ
--- Jason Haar <Jason.Haar <at> trimble.co.nz> wrote:
> Hi there
>
> We are using modsecurity on Apache to protect
> backend IIS servers (ie a
> WAF), and of course, one downside is that all the
> IIS Logs now report
> the WAF's IP address instead of the real Internet IP
> of the client.
>
> For backend Apache servers this is easy to fix (I'll
> put it here for
> others and Google)
>
> LogFormat "%h %l ...." internal
> LogFormat "%{X-Forwarded-For}i %l ...." external
>
> setEnvIf Remote_Addr "^ip.of.modsecurity.server$"
> isWAF
>
> CustomLog /var/log/httpd/access_log internal
> env=!isWAF
> CustomLog /var/log/httpd/access_log external
> env=isWAF
>
> ...however IIS has nothing like that. How are others
> doing it? I've
> looked around Google and found something from 2005 -
> but a couple of
> releases of IIS have come out since then, so I don't
> know how valid
> they'd be anymore...
>
> Thanks
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation
> Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063
> 5EBB FE1D 66D1
>
>
>
-------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008
> JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still
> time to save $100.
> Use priority code J8TL2D2.
>
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed