Thank you for the reply. If Anil left the company, are there any plans to release the ARR Helper source on Codeplex? His module did one thing that the one created by F5 Networks did not: It changed the source IP early enough in the pipeline that it appeared
to the .NET code running (i.e. SharePoint 2010)
The F5 code only changes the IP when it is written out to the log files which is good for log based analytics but doesn't help if you need to do anything with the real source IP earlier in the request.
I have a load balancing server that serves requests data from mulple computers. And this module works great.
But it would be nice if your module supported cascading proxy servers (secondary proxy server trust list)
However, I am trying out Cloudflare, it has a certain ip range it uses for requests. The problem is that its requests show up in my log file instead of hte ip's of the people connecting. Cloudflare is a proxy/cloud that helps accelerate my server all over
the world, since cloudflare has its own network of computers all over the world. It works great, and is free. Also its uses an RBL to block bad ips such as bad crowlers or form spammers etc.
Ok my problem is that I iuse a load balancing server (proxy) to server up website and to send requests to my proper back end servers, and adding cloudflare makes its like a proxy threw a proxy. So your module works and knows i have a proxy, but it doesn't
do the same for cloudflare.
LOCAL_ADDR
REMOTE_ADDR=199.27.128.183 <--- this is cloudflares IP. REMOTE_ADDR should be 1xx.1.9x.1xx not 199.27.128.183
HTTP_X_FORWARDED_FOR=1xx.1.9x.1xx, 199.27.128.183 <- this correct but199.27.128.183 is the secondary proxy that i trust.
I talked about making a trust list of ip addresses to trust the HTTP_X_FORWARDED_FOR header if REMOTE_ADDR equals one of these ip addresses or REMOTE_ADDR equals LOCAL_ADDR, or LOCAL_ADDR/REMOTE_ADDR equals 127.0.0.1. (or REMOTE_ADDR is on the same network
as LOCAL_ADDR ex 192.168.x if LOCAL_ADDR is a class A,B,C private network range) list could be a list of ip addresses or also includes a range.
Well, if HTTP_X_FORWARDED_FOR header is trusted, then the ip addresses should be scanned from right to left, and if a secondary proxy thats tusted or ip match to the list, then its removed in your process of HTTP_X_FORWARDED_FOR for figuring out what is
the clients connecting ip. Normally your module uses the first IP address to the right.
The problem I experience, is becuase I use a dynamic filter to block ip addresses to connect to my website too much to prevent leeching or unfair usage, well cloudflares IP addresses get blocked by mistake. Also my cutom ASPX programs need to know the ip
address of the remote client, and the software for my log files needs to have the proper remote ip tracked or else the tracking information in the log files is useless.
All it would take is a for loop that analyzes each ip from right to left of HTTP_X_FORWARDED_FOR, and stops if no match, and proceeds to the next ip if a match is found. HTTP_X_FORWARDED_FOR should be preserved so logging software knows if a secondary proxy
was used, and maybe add the header REMOTE_ADDR_PROXY/REMOTE_ADDR_PROXY(x) etc one for each so its possible to track what proxy servers. REMOTE_ADDR_PROXY for the proimary proxy server that initially set HTTP_X_FORWARDED_FOR, and REMOTE_ADDR_PROXY(x) for each
additional secondary proxy server that is trusted.
It may be nice to know if the client accessed data threw a secondary proxy server.
But that does not help with the issue of the wrong REMOTE_ADDR being tracked. And people may use other secondary proxy servers.
So you know, I accept connections threw my primary proxy server, also, I accept connections from websites that I host with cloudflare enabled, or I accept connections from websites that have both my ip address listed and a secondary proxy server listed to
help with load balancing.
<div class=ForumPostSignature>Anil left the IIS Team some time in case your waiting on a reply.</div> <div class=ForumPostSignature> </div> <div class=ForumPostSignature>Martin</div> <div class=ForumPostSignature> </div>
Windows and Linux work Together IT-Pros
Community Member Award 2011
Robert.Colbe...
2 Posts
Re: Can requests appear to come from the original client?
Oct 19, 2011 12:29 PM|LINK
Hi Martin,
Thank you for the reply. If Anil left the company, are there any plans to release the ARR Helper source on Codeplex? His module did one thing that the one created by F5 Networks did not: It changed the source IP early enough in the pipeline that it appeared to the .NET code running (i.e. SharePoint 2010)
The F5 code only changes the IP when it is written out to the log files which is good for log based analytics but doesn't help if you need to do anything with the real source IP earlier in the request.
-Robert
HCamper
8048 Posts
Re: Can requests appear to come from the original client?
Oct 19, 2011 07:47 PM|LINK
Hi Robert,
I am not sure of the plans for the ARR Helper Module ?
I am not sure the source code could be released or where CodePlex or MSDN Archives ?
Just was making sure you were able to get the ARR Helper Module installed.
I suggest you contact the IIS ARR Team to get the Status.
I do not use the ARR Helper Module.
You should include the features items in your contact to the IIS ARR Team.
Martin
Community Member Award 2011
ShqTth
10 Posts
Re: Can requests appear to come from the original client?
Nov 27, 2011 07:15 AM|LINK
I have a load balancing server that serves requests data from mulple computers. And this module works great.
But it would be nice if your module supported cascading proxy servers (secondary proxy server trust list)
However, I am trying out Cloudflare, it has a certain ip range it uses for requests. The problem is that its requests show up in my log file instead of hte ip's of the people connecting. Cloudflare is a proxy/cloud that helps accelerate my server all over the world, since cloudflare has its own network of computers all over the world. It works great, and is free. Also its uses an RBL to block bad ips such as bad crowlers or form spammers etc.
Ok my problem is that I iuse a load balancing server (proxy) to server up website and to send requests to my proper back end servers, and adding cloudflare makes its like a proxy threw a proxy. So your module works and knows i have a proxy, but it doesn't do the same for cloudflare.
LOCAL_ADDR
REMOTE_ADDR=199.27.128.183 <--- this is cloudflares IP. REMOTE_ADDR should be 1xx.1.9x.1xx not 199.27.128.183
HTTP_X_FORWARDED_FOR=1xx.1.9x.1xx, 199.27.128.183 <- this correct but199.27.128.183 is the secondary proxy that i trust.
I talked about making a trust list of ip addresses to trust the HTTP_X_FORWARDED_FOR header if REMOTE_ADDR equals one of these ip addresses or REMOTE_ADDR equals LOCAL_ADDR, or LOCAL_ADDR/REMOTE_ADDR equals 127.0.0.1. (or REMOTE_ADDR is on the same network as LOCAL_ADDR ex 192.168.x if LOCAL_ADDR is a class A,B,C private network range) list could be a list of ip addresses or also includes a range.
Well, if HTTP_X_FORWARDED_FOR header is trusted, then the ip addresses should be scanned from right to left, and if a secondary proxy thats tusted or ip match to the list, then its removed in your process of HTTP_X_FORWARDED_FOR for figuring out what is the clients connecting ip. Normally your module uses the first IP address to the right.
The problem I experience, is becuase I use a dynamic filter to block ip addresses to connect to my website too much to prevent leeching or unfair usage, well cloudflares IP addresses get blocked by mistake. Also my cutom ASPX programs need to know the ip address of the remote client, and the software for my log files needs to have the proper remote ip tracked or else the tracking information in the log files is useless.
All it would take is a for loop that analyzes each ip from right to left of HTTP_X_FORWARDED_FOR, and stops if no match, and proceeds to the next ip if a match is found. HTTP_X_FORWARDED_FOR should be preserved so logging software knows if a secondary proxy was used, and maybe add the header REMOTE_ADDR_PROXY/REMOTE_ADDR_PROXY(x) etc one for each so its possible to track what proxy servers. REMOTE_ADDR_PROXY for the proimary proxy server that initially set HTTP_X_FORWARDED_FOR, and REMOTE_ADDR_PROXY(x) for each additional secondary proxy server that is trusted.
It may be nice to know if the client accessed data threw a secondary proxy server.
ShqTth
10 Posts
Re: Can requests appear to come from the original client?
Nov 27, 2011 07:24 AM|LINK
Just to note, that cloudflare does add headers:
HTTP_CF_CONNECTING_IP=1xx.1.9x.1xx
HTTP_CF_IPCOUNTRY=CA
and also sets HTTP_X_FORWARDED accordingly.
But that does not help with the issue of the wrong REMOTE_ADDR being tracked. And people may use other secondary proxy servers.
So you know, I accept connections threw my primary proxy server, also, I accept connections from websites that I host with cloudflare enabled, or I accept connections from websites that have both my ip address listed and a secondary proxy server listed to help with load balancing.
HCamper
8048 Posts
Re: Can requests appear to come from the original client?
Nov 27, 2011 12:16 PM|LINK
Hi,
Just in case you missed the note:
<div class=ForumPostSignature>Anil left the IIS Team some time in case your waiting on a reply.</div> <div class=ForumPostSignature> </div> <div class=ForumPostSignature>Martin</div> <div class=ForumPostSignature> </div>Community Member Award 2011
ShqTth
10 Posts
Re: Can requests appear to come from the original client?
Nov 27, 2011 06:21 PM|LINK
I didnt notice. I just saw he hasn't posted in a long time. Is someone else taking over this module or we out of luck?
HCamper
8048 Posts
Re: Can requests appear to come from the original client?
Nov 28, 2011 01:28 AM|LINK
Hi,
Last post long time ago.
Not sure of status check with the Team http://forums.iis.net/t/1176889.aspx .
Martin
Community Member Award 2011