Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?

In the Linux world and my current configuration, I use
mod_extract_forwarded2 to get the "X-Forwarded-For"
header before Apache AND before modsecurity.

If my memory serves me right there is a
mod_extract_forward module for the Windows version of
Apache...  (Not sure about IIS though).

If you are running something older than 2.1.4 you will
also need to re-compile modsecurity and change the
following line in mod_security2.c....  Whatever module
you chose to use make sure it is somewhere in the
below constant.

    static const char *postread_beforeme_list[] = {
        "mod_rpaf.c",
        "mod_extract_forwarded2.c",
        "mod_breach_realip.c",
        "mod_breach_trans.c",
        "mod_unique_id.c",
        NULL

Good luck...

Russ

--- Jason Haar <Jason.Haar <at> trimble.co.nz> wrote:

> Hi there
> 
> We are using modsecurity on Apache to protect
> backend IIS servers (ie a 
> WAF), and of course, one downside is that all the
> IIS Logs now report 
> the WAF's IP address instead of the real Internet IP
> of the client.
> 
> For backend Apache servers this is easy to fix (I'll
> put it here for 
> others and Google)
> 
> LogFormat "%h %l ...." internal
> LogFormat "%{X-Forwarded-For}i %l ...." external
> 
> setEnvIf Remote_Addr "^ip.of.modsecurity.server$"
> isWAF
> 
> CustomLog /var/log/httpd/access_log internal
> env=!isWAF
> CustomLog /var/log/httpd/access_log external
> env=isWAF
> 
> ...however IIS has nothing like that. How are others
> doing it? I've 
> looked around Google and found something from 2005 -
> but a couple of 
> releases of IIS have come out since then, so I don't
> know how valid 
> they'd be anymore...
> 
> Thanks
> 
> -- 
> Cheers
> 
> Jason Haar
> Information Security Manager, Trimble Navigation
> Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063
> 5EBB FE1D 66D1
> 
> 
>
-------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008
> JavaOne(SM) Conference 
> Don't miss this year's exciting event. There's still
> time to save $100. 
> Use priority code J8TL2D2. 
>
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 

      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Re: any way to get IIS to log X-Forward-For instead of REMOTE_ADDR?

There's nothing we can do about the backend IIS in ModSecurity, as the
IP address is extracted from the networking layer.

One solution, which you've already found, is to deploy an IIS module.
The only other way to do it is with a transparent networking
appliance. Appliances work because they can fiddle with the packets to
fake the source IP address. This is one reason why people favour
appliances over self-assembled reverse proxies.

On Fri, May 2, 2008 at 1:57 AM, Jason Haar <Jason.Haar <at> trimble.co.nz> wrote:
> Hi there
>
>  We are using modsecurity on Apache to protect backend IIS servers (ie a
>  WAF), and of course, one downside is that all the IIS Logs now report
>  the WAF's IP address instead of the real Internet IP of the client.
>
>  For backend Apache servers this is easy to fix (I'll put it here for
>  others and Google)
>
>  LogFormat "%h %l ...." internal
>  LogFormat "%{X-Forwarded-For}i %l ...." external
>
>  setEnvIf Remote_Addr "^ip.of.modsecurity.server$" isWAF
>
>  CustomLog /var/log/httpd/access_log internal env=!isWAF
>  CustomLog /var/log/httpd/access_log external env=isWAF
>
>  ...however IIS has nothing like that. How are others doing it? I've
>  looked around Google and found something from 2005 - but a couple of
>  releases of IIS have come out since then, so I don't know how valid
>  they'd be anymore...
>
>  Thanks
>
>  --
>  Cheers
>
>  Jason Haar
>  Information Security Manager, Trimble Navigation Ltd.
>  Phone: +64 3 9635 377 Fax: +64 3 9635 417
>  PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>  Don't miss this year's exciting event. There's still time to save $100.
>  Use priority code J8TL2D2.
>  http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>  _______________________________________________
>  mod-security-users mailing list
>  mod-security-users <at> lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

--

-- 
Ivan Ristic

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone