2 May 09:15
Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?
From: Ivan Ristic <ivan.ristic <at> gmail.com>
Subject: Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-02 07:15:59 GMT
Subject: Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-02 07:15:59 GMT
There's nothing we can do about the backend IIS in ModSecurity, as the
IP address is extracted from the networking layer.
One solution, which you've already found, is to deploy an IIS module.
The only other way to do it is with a transparent networking
appliance. Appliances work because they can fiddle with the packets to
fake the source IP address. This is one reason why people favour
appliances over self-assembled reverse proxies.
On Fri, May 2, 2008 at 1:57 AM, Jason Haar <Jason.Haar <at> trimble.co.nz> wrote:
> Hi there
>
> We are using modsecurity on Apache to protect backend IIS servers (ie a
> WAF), and of course, one downside is that all the IIS Logs now report
> the WAF's IP address instead of the real Internet IP of the client.
>
> For backend Apache servers this is easy to fix (I'll put it here for
> others and Google)
>
> LogFormat "%h %l ...." internal
> LogFormat "%{X-Forwarded-For}i %l ...." external
>
> setEnvIf Remote_Addr "^ip.of.modsecurity.server$" isWAF
>
> CustomLog /var/log/httpd/access_log internal env=!isWAF
> CustomLog /var/log/httpd/access_log external env=isWAF
>
> ...however IIS has nothing like that. How are others doing it? I've
> looked around Google and found something from 2005 - but a couple of
> releases of IIS have come out since then, so I don't know how valid
> they'd be anymore...
>
> Thanks
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
--
--
Ivan Ristic
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed