We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

URL Rewrite 2.0 and REMOTE_ADDRRSS

20 replies

Last post Mar 10, 2017 03:07 AM by TSW

  • URL Rewrite 2.0 and REMOTE_ADDR

    Sep 21, 2009 09:43 PM|gpduck|LINK

    I'm trying to find a solution to allow the client IP to be preserved using an X-Forwarded-For header from our hardware load balancer.  I would like to get this working with URL Rewrite 2.0 as this will be the most supportable option once v2.0 is released, but I'm having trouble getting the REMOTE_ADDR variable to be overwritten.

     I can successfully write the X-Forwarded-For value to a new HTTP_variable:

    <set name="HTTP_Test" value="{HTTP_X_Forwarded_For}" replace="true" />

    But when I try to set the REMOTE_ADDR variable, nothing happens:

    <set name="REMOTE_ADDR" value="{HTTP_X_Forwarded_For}" replace="true" />

    What am I missing here?

    server variables Url Rewriting URL RewriteV2 iis rewirte iis 7 url rewrite Module 2.0

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Sep 24, 2009 07:04 PM|anilr|LINK

    What do you mean when you say nothing happens?  Does getting the REMOTE_ADDR server-variable still gives you the non-rewritten value?  Also, look at this blog post.

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Sep 24, 2009 07:54 PM|gpduck|LINK

    I meant that the module is not doing anything to the value of REMOTE_ADDR, so the variable still returns the IP address of the load balancer.

     I have played around with your ARR helper module before, but I was hoping that URL Rewrite v2 would work so that when we eventually move this to our production servers we would be using an official Microsoft module that would be supported by the IIS team.

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Oct 12, 2009 04:43 PM|gpduck|LINK

    So is this a bug, or is it not intended that we can change the REMOTE_ADDR variable using the URL Rewrite module?

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Oct 12, 2009 09:21 PM|anilr|LINK

    But, how are you verifying whether or not REMOTE_ADDR has changed or not - is it via some asp/asp.net code on your site?

    Anil Ruia
    Software Design Engineer
    IIS Core Server
  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Oct 13, 2009 02:24 AM|gpduck|LINK

    Yes, I'm printing out all the server variables in an ASP page.  I am able to create a new variable, like HTTP_foo, and set that equal to the value in the x-forwarded-for header, but I cannot get anything to overwrite the REMOTE_ADDR header (either with the dynamic value from x-forwarded-for or just static text entered into the rewrite rule).

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Oct 15, 2009 01:16 AM|ruslany|LINK

    Can you provide the rule and the asp code to repro this?

    I tried this rule:

    <rule name="test">
        <match url="(.*)" />
        <serverVariables>
         <set name="REMOTE_ADDR" value="::2" replace="true"/>
        </serverVariables>
    </rule>

    And this asp code:

    <p>REMOTE_ADDR is <%= request.servervariables("REMOTE_ADDR") %></p>

    And it worked correctly.

    Note that the server variable names are case sensitive.

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Oct 15, 2009 07:50 PM|gpduck|LINK

    I just deployed a fresh VM image of my test server to make sure I hadn't done anything to the IIS config to screw this up.  This is on a fresh 2008 x64 image with SP2 applied.

     Here is my web.config:

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <rewrite>
                <rules>
    <rule name="test">
        <match url="(.*)" />
        <serverVariables>
         <set name="REMOTE_ADDR" value="::2" replace="true"/>
         <set name="HTTP_FOO" value="Hello" replace="true"/>
        </serverVariables>
    </rule>

                </rules>
            </rewrite>
        </system.webServer>
    </configuration>

    And here is the ASP:

    <html>
    <head>
    <title>boo</title>
    </head>
    <body>
    <p>REMOTE_ADDR is <%= request.servervariables("REMOTE_ADDR") %></p>
    <p>Foo is <%= request.servervariables("HTTP_FOO") %></p>
    </body>

     And here is my output the first time I hit the page (the IP returned is that of our load balancer):

    REMOTE_ADDR is x.x.x.x

    Foo is Hello

    What is weird is that if I refresh the page the "Hello" drops off, until I recycle the app pool.  If I define the rule in the applicationHost.config instead of web.config I get the same result as far as the IP address but the "Hello" does not drop off after one request.

    I don't see any errors in the application or system logs when I have the rule defined in web.config, but I did get a sxs error when I installed URL Rewrite:

    Activation context generation failed for "C:\Windows\system32\inetsrv\rewrite.dll". Dependent Assembly Microsoft.VC90.CRT,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.1" could not be found. Please use sxstrace.exe for detailed diagnosis.

    I checked and that assembly is in my c:\windows\winsxs folder.

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Oct 19, 2009 05:36 PM|ruslany|LINK

    I tried to repro this with the beta build on a Win2k8 x64 machine, but exact same rule and the asp page produced the correct result.

    The problem with "Hello" dropping off is a known bug that will be fixed in the upcoming release of the URL Rewrite 2.0.

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Jan 26, 2010 08:01 PM|gpduck|LINK

    To follow up on this, I have no idea what I was doing before that was making this not work, but I just installed the URL Rewrite 2.0 RC and it was a snap to setup and so far replacing REMOTE_ADDR has worked great.

    Thanks for all the help troubleshooting Ruslan and Anil, and for the great tool!

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Mar 31, 2010 10:11 AM|rynnoworld|LINK

    We are looking to replace REMOTE_ADDR 100% in all cases, including null.
    We are replacing REMOTE_ADDR successfully with this rule as long as there is a string in the url path (i.e. http://www.OurAwesomeWebsite.com/string )

    rule name="WildCard_Match" enabled="true"
     match url="(.*)"
     serverVariables
      set name="REMOTE_ADDR" value="{HTTP_LB_IP}" replace="true"
     serverVariables
     action type="None"
    rule

    However, does not work for the case where the url path is null (i.e. http://www.OurAwesomeWebsite.com/ )
    What regular expression should be used in this case?

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Mar 31, 2010 01:34 PM|ruslany|LINK

    This pattern - (.*) should have matched the empty string. Note also that you do not need to use parenthesis in this case. The pattern can be just ".*".

    Do you have any other rewrite rules before or after this one? May be they interfere when empty URL path is used? Also try enabling Failed Request Tracing and see how what is given as an input to this rewrite rule.

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Apr 06, 2010 12:04 PM|rynnoworld|LINK

    To answer your questions, there are no other rules. This is the only rule, and it is global.

    I have more information after running Failed Request Tracing, which hopefully will shed some light on the issue at hand. Here is the current rundown (I updated the rule to the pattern ".*"):

    <rewrite>
         <globalRules>
              <rule name="Rule1">
                   <match url=".*" />
                   <serverVariables>
                        <set name="REMOTE_ADDR" value="{HTTP_LB_IP}" />
                   </serverVariables>
                   <action type="None" />
              </rule>
         </globalRules>
    </rewrite>

    Abbreviated contents of Default.aspx (NOTE! Default.aspx is the IIS Default Document):

    <tr>
         <td>HTTP_LB_IP Value: </td>
         <td><%= Request.ServerVariables["HTTP_LB_IP"] %></td>
    </tr>
    <tr>
         <td>REMOTE_ADDR Value: </td>
         <td><%= Request.ServerVariables["REMOTE_ADDR"] %></td>
    </tr>

    • <div mce_keep="true">Results when using the "Test Pattern" feature in URL Rewrite</div>
      • <div mce_keep="true">true</div>
    • <div mce_keep="true">Results when hitting these paths:</div>
      • <div mce_keep="true"><OurWebsite>.com/default.aspx</div>
        • <div mce_keep="true">IIS Log</div>
          • <div mce_keep="true">GET /default.aspx - 80 - <Load Balancer Backend IP></div>
        • <div mce_keep="true">Browser</div>
          • <div mce_keep="true">HTTP_LB_IP Value: <PublicIP></div>
          • <div mce_keep="true">REMOTE_ADDR Value: <PublicIP></div>
        • <div mce_keep="true">Failed Request Trace Log</div>
          • <div mce_keep="true">PATTERN_MATCH</div>
            • <div mce_keep="true">Pattern .*</div>
            • <div mce_keep="true">Input default.aspx</div>
            • <div mce_keep="true">Negate false</div>
            • <div mce_keep="true">Matched true</div>
          • <div mce_keep="true">SET_SERVER_VARIABLE</div>
            • <div mce_keep="true">Name REMOTE_ADDR</div>
            • <div mce_keep="true">Value {HTTP_LB_IP}</div>
            • <div mce_keep="true">ExpandedValue <PublicIP></div>
            • <div mce_keep="true">Replace true</div>
            • <div mce_keep="true">IsHeader false</div>
          • <div mce_keep="true">RULE_EVALUATION_END</div>
            • <div mce_keep="true">RuleName Rule1</div>
            • <div mce_keep="true">RequestURL default.aspx</div>
            • <div mce_keep="true">QueryString</div>
            • <div mce_keep="true">StopProcessing false</div>
            • <div mce_keep="true">Succeeded true</div>
      • <div mce_keep="true"><OurWebsite>.com/</div>
        • <div mce_keep="true">IIS Log</div>
          • <div mce_keep="true">GET / - 80 - <Load Balancer Backend IP></div>
        • <div mce_keep="true">Browser</div>
            • <div mce_keep="true">HTTP_LB_IP Value: <PublicIP></div>
            • <div mce_keep="true">REMOTE_ADDR Value: <Load Balancer Backend IP></div>
        • Failed Request Trace Log <div mce_keep="true">
          • <div mce_keep="true">PATTERN_MATCH</div>
            • <div mce_keep="true">Pattern .*</div>
            • <div mce_keep="true">Input </div>
            • <div mce_keep="true">Negate false</div>
            • <div mce_keep="true">Matched true</div>
          • <div mce_keep="true">SET_SERVER_VARIABLE</div>
            • <div mce_keep="true">Name REMOTE_ADDR</div>
            • <div mce_keep="true">Value {HTTP_LB_IP}</div>
            • <div mce_keep="true">ExpandedValue <PublicIP></div>
            • <div mce_keep="true">Replace true</div>
            • <div mce_keep="true">IsHeader false</div>
          • <div mce_keep="true">RULE_EVALUATION_END</div>
            • <div mce_keep="true">RuleName Rule1</div>
            • <div mce_keep="true">RequestURL </div>
            • <div mce_keep="true">QueryString</div>
            • <div mce_keep="true">StopProcessing false</div>
            • <div mce_keep="true">Succeeded true</div>
          </div>

    Based on this information, I would expect the browser result for <OurWebSite>.com/ would be the same result as <OurWebSite>.com/default.aspx since it is the same page (since default.aspx is the "default page" in IIS) and the rule evaluates true in both cases. Once we get this issue worked out, this will solve a major issue with our legacy code base. I'm very excited!

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Apr 06, 2010 02:20 PM|gpduck|LINK

    I can confirm that I am seeing the same behavior, when a page is accessed using its full name (contoso.com/default.asp) the URLRewrite successfully replaces the server variables, when the page is set as a default document and accessed using the folder name (contoso.com/) URLRewrite does not do the server variable replacement.

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Apr 06, 2010 07:58 PM|ruslany|LINK

    This is the issue caused by using URL Rewrite 2.0 together with IIS default document. IIS Default Document module makes a child request in IIS but it does not preserve the request context when doing this. So if URL rewrite has set a server variable and then default document module runs the server variable change gets lost. This is a problem with the default document module and IIS team is looking into ways for fixing it.

    Meanwhile you can try the workaround:

    Disable the IIS default document and implement the default document behavior by using URL rewrite. Here are the rules that implement that :

     <rules>
                    <rule name="DefaultDocTrailingSlash" enabled="false" stopProcessing="true">
                        <match url=".*[^/]$" />
                        <conditions>
                            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" />
                        </conditions>
                        <action type="Redirect" url="{R:0}/" />
                    </rule>
                    <rule name="DefaultDocRewrite" stopProcessing="true">
                        <match url=".*" />
                        <conditions logicalGrouping="MatchAny">
                            <add input="{URL}" pattern="^/$" />
                            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" />
                        </conditions>
                        <action type="Rewrite" url="{R:0}/Default.aspx" />
                    </rule>
    </rules>

    Note that this won't work if you use global rules to set the server variable. This only works when distributed rules (i.e. inside of the <rules> section) set the server variable. Is there a reason why in your case you have this as a global rule?

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Apr 08, 2010 10:40 AM|rynnoworld|LINK

    This workaround was successful.

    Our legacy code (the code that uses REMOTE_ADDR) is not load balanced. We do not have enough developer resources to rewrite the legacy code to use our custom header. Setting this rule globally on a server would allow us a quick way to migrate our legacy code to a server farm behind load balancers. Despite not being able to set this up at the global level, we will probably move forward with the workaround. I have not found anything else that will accomplish this task, so thanks for the sweet tool!

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    May 26, 2011 06:54 PM|BenLiyanage|LINK

    ruslany

    This is a problem with the default document module and IIS team is looking into ways for fixing it.
     

    Has there been a fix for this?  It is close to a year later.

     Thanks,

    -Ben

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Oct 23, 2012 11:07 AM|dsherron|LINK

    I can confirm we are still having this problem on IIS 7.5 with URL Rewrite Module 2.0 and the Default Document module. This problem has now been known about for 2 1/2 years!!!! Is there any kind of hotfix available?
  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    May 26, 2015 07:21 AM|Philip Wigg|LINK

    Was there ever a fix for this?

    We just lost several days trying to fix this problem.

    It would be really helpful if the documentation about rewriting server variables mentioned this significant bug.

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Sep 19, 2016 03:48 PM|jinzai|LINK

    This remains an issue and it is not an acceptable answer to mangle the URL further. RESTful services are a particularly egregious failure when the WCF sits behind an URL Rewrite and a load balancer. Developers need their URLs and often, the original requestor's IP preserved in some fashion. That's what "X-Forwarded_For" was created to do in the first place -- it is a collection for a reason.

    This seems a common scenario...IIS has been configured by another department and the first wrongful thing done is to ferry all HTTP to another entirely different protocol -- HTTPS. That is not security at all -- it is punching a huge hole in security, in fact. It is never a good idea to try and coddle the user at the front door like that. Security intentionally makes things more difficult -- it is the primary purpose of security in the first place.

    Load balancers are great, but when they strip off the requestor's IP, they are a giant nuisance. Furthermore, the way the development environment is -- you can only truly test code like this -- on Production -- another fundamental mistake that poor implementation causes unnecessarily.

    To some, it matters a great deal.

  • Re: URL Rewrite 2.0 and REMOTE_ADDR

    Mar 10, 2017 03:07 AM|TSW|LINK

    After running into this exact issue, I developed a simple workaround using a custom IHttpModule, which I have setup in applicationHost.config so that all of my sites run all requests through it. It replaces the REMOTE_ADDR and REMOTE_HOST server variables with the first IP address found in X-Forwarded-For. And yes, it works even on default documents. :-)

    https://gist.github.com/winzig/ee57e559341a2a92d8ee7bc0daa1304a