We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Does ARR/URL Rewrite mean cs-host field in IIS Logs has server IP and port instead of hostname? RSS

0 replies

Last post Oct 01, 2020 09:22 PM by roryk

  • Does ARR/URL Rewrite mean cs-host field in IIS Logs has server IP and port instead of hostname?

    Oct 01, 2020 09:22 PM|roryk|LINK

    Question summary:

    Does URL Rewrite / Application Request Routing within IIS mean that the cs-host field no longer logs the request hostname and instead logs the target server ip & port? If so, how can I log the hostname in my IIS logs?

    Question detail:

    I have a multi-tenant application hosted on several IIS servers and until now haven't been logging cs-host field. I selected cs-host in the W3C Logging Fields dialog and was then surprised to see my server IP address and port logged instead of the requested hostname :-(

    My guess is that it's something to do with me using URL Rewrite / ARR. This is how I use URL Rewrite:

    • Tenants each have their own subdomain, like atenant.mycoolapp.com
    • All subdomains point to the IP address of my main IIS server, let's call it 10.52.123.40
    • Binding on one WebSite on that server is for *.mycoolapp.com, so all requests go to that WebSite
    • URL Rewrite is configured on that WebSite so that different URL paths are rewritten to different WebSites, some on the same server and some on other IIS servers. e.g. here's one rule that rewrites all the urls with path starting 'api/account/' to a different IIS server, let's call it IP 10.52.123.45:
    Input: URL path after '/'
    Match: Matches
    Pattern: ^api/account/(.*)
    Action Type: Rewrite
    Action URL: https://10.52.123.45:1200/api/account/{R:1}
    

    The server IP address & port that is logged is the re-written one, i.e. the server & IP that actually hosts the code that processes the request & generates the response.

    I've turned on cs-host logging on both the WebSite that receives the initial request and the WebSites that receive the rewritten request. Both of them contain the IP & port instead of the hostname in the cs-host field.

    Here's an example line from my IIS log file (I've replaced the IP addresses) from the main WebSite. I get the same sort of thing in the other WebSite logs too (i.e. server IP & port instead of hostname in cs-host).

    #Software: Microsoft Internet Information Services 10.0
    #Version: 1.0
    #Date: 2020-09-30 00:00:00
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes time-taken
    2020-09-30 00:00:04 10.52.123.40 GET /api/admin/system/users/admin - 443 - 12.34.56.100 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/85.0.4183.121+Safari/537.36 https://atenant.mycoolapp.com/ 10.52.123.45:1200 200 0 0 770 46
    

    So my questions are: is it URL Rewrite / ARR that's doing this, and if so how can I log the requested hostname?

    Also posted on serverfault here.