IIS 7.0 - Application Request Routing (ARR)

Re: Can requests appear to come from the original client?

anilr — Thu, 05 Nov 2009 23:21:26 GMT

ARR helper has now been updated with the suggestions above.

Re: Can requests appear to come from the original client?

stever@bitshop.com — Sun, 11 Oct 2009 16:44:39 GMT

Have you considered just making this a CodePlex project so these enhancements could be made? I would think some of the people interested in these enhancements could contribute them..

Re: Can requests appear to come from the original client?

Brian Adams — Wed, 26 Aug 2009 05:55:32 GMT

Just wanted to second everyone else that says the version of the ARRHelper that lets us provide and update trusted proxies would be very helpful. The problem I have is that with managed code there does not appear to be a way to get in front of the ARRHelper before it executes in the pipeline. If I could do that then I could have my own logic that checks for trusted proxy chains and I could blank out the x-forward-for header before the AARHelper even has a chance to process it.

Re: Can requests appear to come from the original client?

anilr — Sun, 26 Jul 2009 13:41:54 GMT

Thanks, I will give that a look. Not sure exactly when I will update the ARRHelper module though.

Re: Can requests appear to come from the original client?

JohnGalt1 — Wed, 22 Jul 2009 20:12:03 GMT

This definitely does appear to work great. Thanks much anilr!

I'll have to throw my hat in the ring for a little more security on it though. Assuming a chain of proxies before the web server, and therefore a chain of X-Forwarded-For addresses in the header, which IP is picked to be the client IP in your module? Is it always the first IP in the chain?

If you are interested, here's some interesting info on how the problem has been addressed in Apache's mod_extract_forwarded module http://www.openinfo.co.uk/apache/index.html.

Re: Can requests appear to come from the original client?

Rolle — Mon, 20 Jul 2009 15:36:44 GMT

Great! It's working on our dev area...

Thanks!

Re: Can requests appear to come from the original client?

anilr — Thu, 16 Jul 2009 00:53:05 GMT

I have re-released the ARR helper module on my blog with fix for ignoring invalid X-Forwarded-For header. The feature to only accept X-Forwarded-For headers from trusted proxies is still under consideration.

Re: Can requests appear to come from the original client?

niik — Wed, 13 May 2009 12:28:59 GMT

@anilr: you're absolutely right, we're not using ARR yet the helper module was simple and effective way of solving our problem! thanks a bunch btw =)

Re: Can requests appear to come from the original client?

anilr — Tue, 05 May 2009 17:04:43 GMT

Mike, I think niik is talking about the application server and not the load-balancing server (he is probably not using ARR at all) - he wants the ARRHelper module to only do its work on certain websites on the application server.

Re: Can requests appear to come from the original client?

Mike Ayling — Tue, 05 May 2009 14:37:42 GMT

I would think that you could add conditions to the rewrite rule that sends traffic to a defined webfarm. For example, if you only want the request rewritten for ARR if a specific host header is specified, then add a condition for {HTTP_HOST} in the rewrite rule.

Re: Can requests appear to come from the original client?

anilr — Mon, 04 May 2009 16:36:24 GMT

I will look at that - it may be a while (also for the request to ignore invalid X-Forwarded-For headers), I am currently pretty busy with beta2 of ARRv2.

Re: Can requests appear to come from the original client?

niik — Mon, 04 May 2009 15:27:20 GMT

Hey, great module,exactly what we where looking for!

One question though, is there any way of enabling/disabling the ARRHelper module for specific websites?

Some of our websites are portmapped directly through our firewall and some go through our ssl-offload/reverse-proxy and I'd like the ARRHelper to only operate on the latter.

I've tried removing the element from the modules-section of applicationHost.config without any luck. I've also tried adding a element to the applicationHost and the Web.config file, also without any luck. It seems to as if the module gets activated once it has been included in the globalModules section.

Perhaps you could add an enabled="(true|false") attribute to the configuration schema?

Thanks!

Re: Can requests appear to come from the original client?

ShqTth — Mon, 20 Apr 2009 18:57:31 GMT

When using squid,

HTTP_VIA=1.1 sheldows-vista:80 (squid/2.7.STABLE4)
HTTP_X_FORWARDED_FOR=96.48.192.227
LOCAL_ADDR=127.0.0.1
REMOTE_ADDR=127.0.0.1
REMOTE_HOST=127.0.0.1

HTTP_X_FORWARDED_FOR is the ip address of the client connected to the proxy, or if squid made a request for multiple clients, then sometime X-FORWARDED-FOR may contain multiple ip addresses seperated by "," such as:
HTTP_X_FORWARDED_FOR = x.x.x.x,y.y.y.y, z.z.z.z

REMOTE_ADDR will be the ip address of the proxy
REMOTE_HOST will be either the ip address of the proxy or the name of the proxy machine

Re: Can requests appear to come from the original client?

ShqTth — Mon, 20 Apr 2009 18:48:40 GMT

1)You can check to make sure REMOTE_ADDR matches one of the ip address defined in the config file.

If there is a match, then you know the request came from the load balancer / proxy srrver in reverse mode meaning X-FORWARDED-FOR can be trusted.

- This option should be an option to turn off or on.
- if LOCAL_ADDR matches REMOTE_ADDR then its trusted.
- network range or netmask would be nice such as y.y.y.x or x.x.x.x/y (example 192.168.1. or 192.168.1.0/24)

2) Or if REMOTE_ADDR matches 127.0.0.1 or 192.168.X.X or LOCAL_ADDR you pretty much can assume that X-FORWARDED-FOR can be trusted as the request came from a local server.

3) Advanced option (will be slower as it requires a lookup, but result can be cached):
Or the VIA header cantains the name of the proxy server. oviously the name much resolve to the REMOTE_ADDR to be valid.

4) REMOTE_HOST can be matched. it is usually the ip addres or name of the proxy server. But information in REMOTE_HOST isn't always reliable. (I never seen it set to an actual host name to date)

Anyways

options 1 & 2 seem like a good way to make sure X-FORWARDED-FOR can be trusted or not. but if an option like that is implemented it should be optional as some people wont need it.

Re: Can requests appear to come from the original client?

anilr — Mon, 20 Apr 2009 18:20:11 GMT

How can you verify that the X-Forwarded-For is not spoofed? It is never going to be the IP of the client, but an arbitrary IP that connected to the load-balancer. Any validation of the client should be done by the load-balancer connecting to ARR.