Client-ip not logged on application server when using ARR

Posted: Mar 03, 2009  38 comments  

Average Rating

Tags
ARR
IIS7
X-Forwarded-For

Share this Post

I have been meaning to blog for a while, but something always seems to get in the way.  So, here is my first blog post.

Let me first introduce myself.  I have been a developer on the IIS team since 1999, from the beginning of the IIS6 product cycle.  I worked on the request processing pipeline for IIS6 and IIS7, including the new native extensibility in IIS7 and integration with the asp.net pipeline to make managed extensibility of IIS pipeline possible.  I know that many people have questions both about the IIS7 native extensibility and the integrated pipeline and I try to answer them in forums whenever I can, but you should send me any topics that you would like me to address in this blog.  Since IIS7 shipped, I have been working on ARR.  We just shipped RTW for v1 of ARR.  We are working on some great new things for the next version of ARR and would definitely love to hear any feature requests or feedback from ARRv1 that we can incorporate into future releases.  But, more on that later.

Today, I am trying to address a specific problem users of ARR (or any other load-balancer that does not do direct server return) have.  Specifically, that the client-ip that gets logged on their application server is the ip of the load-balancer and not the real client-ip.  Also, others have reported problem when using the SSL offloading feature of ARR that since the request to the application is over http which can trip up application logic including any absolute links generated by the application.  Also, there is need to correlate IIS logs between the ARR machine and the content server for troubleshooting or other reasons. I have written a module which you can install on your application servers running IIS7 to take care of these problems.

Download x64 x86

Extract the msi from the zip file and run it.  It will install the module under "%PROGRAMFILES%\IIS\ARR Helper\"  and register the configuration section it uses.  It allows configuration of a few parameters in IIS configuration - you can find them in %windir%\system32\inetsrv\config\schema\arr_helper_schema.xml - they should be pretty self descriptive.  You can use appcmd/AHAdmin/MWA/Config-Editor etc to edit those configuration parameters.

Edit: I have updated the msi downloads to fix a couple of bugs and add a couple of features that people reported.

Edit 11/05/2009: as per suggestions from the forums, I have added feature to the ARR helper to configure ip addresses of trusted proxies.  Only X-Forwarded-For headers from those proxies will be honored.

Technorati Tags: ,,

Comments

Any reason why something like this hasn't been added to IIS7 core or at least an IIS7 feature?

Jul 28 2009 by pure.krome

Have you considered allowing an option to choose whether to use the first or last entry in the X-Forwarded-For header?  We'd love to use this helper for sites that are CDN enabled, but currently your helper uses the last proxy device on the CDN instead of the originating client.  For example, a header of  X-Forwarded-For: 192.168.1.1, 192.168.100.1, 192.168.200.1  causes you to set REMOTE_ADDR to 192.168.200.1 but in this case the origin of the request is actually 192.168.1.1

Aug 19 2009 by barryhagan

I have had good luck with this tool, we are using ARR behind ServerIron LB's, and this tool accurately reports the client IP both in the W3SVC logs and in my test page:

<%@ LANGUAGE="VBSCRIPT" %>

<HTML>

<HEAD>

<TITLE>Client IP Test Page</TITLE>

<% ClientIP=Request.ServerVariables("REMOTE_HOST")%>

</HEAD>

<BODY>

<p>

Your IP Address is <% Response.Write(ClientIP) %>

</p>

</BODY>

</HTML>

Sep 03 2009 by MaxASPSteve

Barry - it has been requested to allow configuring a set of trusted proxies so only X-Forwarded-For headers from them are used - this is something I will get to at some point.

Krome - why does it matter whether or not this is a part of IIS - ARR itself is currently not part of IIS.

Oct 05 2009 by anilr

Yes - do you know if this will this run on an IIS 6 server?

Also, it would be nice if it became a native tool of IIS.  That way MS would potentialy update/continue to develop the tool.

Just in case you win the lottery :-)

Thanks!

Oct 20 2009 by jreed5

No, this will only run on IIS7+

Nov 05 2009 by anilr

Anil, is there any chance you could pass along the source.  I'm working on a module and this would be a great starting point.

-Joe

Nov 23 2009 by joepruitt

Anil, I assume I have to manually add requestRouterHelper after install.

Is it correct command to instal the module:

> appcmd.exe install module /name:requestRouterHelper /image:"C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll"

?

Running this command I've got successfull install of a module but my sites stops working normally (errors 500 and 503 are logged).

What could be a problem?

The server is running Windows WebServer 2008 (x86) so I've installed x86 binary.

Dec 11 2009 by soneric

soneric, the install for the ARR helper will take care of installing the module.

Jan 08 2010 by anilr

Just installed this on two of or test servers and I'm having an issue with the default app pool shutting down.  Will the x64 version not work correctly in Server 2008 R2?

Apr 09 2010 by smccloud

smccloud, your shutdown issues are most definitely not due to ARR helper, you need to investigate them independently.

Apr 12 2010 by anilr

Anil, why doesn't this install on servers with "shared configuration" enabled?  I'm running two IIS 7 Servers behind an F5 and I'd like these servers to track client IP.  Shared configuration is important so the ARR rules are always in sync.

Apr 29 2010 by mcataldo@bluoceanlabs.com

If there are no errors executing the .msi is the helper active?  Do I have to enable the helper somewhere else?  The xml configuration files looks appropriate (I'm just trying to get the real client IP using x-forwarded-for).

Apr 29 2010 by mcataldo@bluoceanlabs.com

Posting this twice because I was logged in as anonymous on the first posting.  Anyway, is this supposed to work for ARR v2 as well.  I've installed this module on a test web server with no effect.  I've also installed it on my ARR test server just in case, also no effect.  Please advise.

Apr 30 2010 by adrianmaule

@mcataldo - installing on servers with shared configuration enabled has a few problems

a) the web server should ideally only have read access to the shared applicationhost.config

b) the config should only be updated by one of the installs and only after the binary has been installed on all the machines - this could be achieved by having a "binary only" and "binary + configuration" installation mode, but the current installation does not do it.

If the installation succeeded, ARR helper is active, the configuration only controls what header ARR helper uses for its various functionality, the default values match ARR's default values.

@adrianmaule - this should work against any load balancer which adds the client's ip address to a request header which includes ARRv1 and ARRv2.

May 10 2010 by anilr

We've installed the ARR helper and do not see it listed under modules within the IIS console. Additionally, after installing we still are not getting the client IP.  Any help would be appreciated.

Jun 03 2010 by troyjordan

Found the issue. It appears you cannot have UAC enabled when installing the ARR helper.

Jun 03 2010 by troyjordan

I have installed and uninstalled this several times. The IP is not showing in the the IIS logs. I do not see the module in IIS. What am I doing wrong? I am runnning a clean install of Server 2008 with only IIS added.

Jun 25 2010 by CRLord

TroyJordan was correct. You must disable UAC before installing this. It will not error or tell you that it did not install correctly.

Jun 25 2010 by CRLord

Hello,

How does the module resolve the issue for sites that have code to check for and require SSL? The module seems to be working as far as passing the HTTP_X_ARR_SSL and HTTP_X_ARR_LOG_ID and HTTP_X_FORWARDED_FOR variables, however, the site code is checking if "SERVER_PORT_SECURE" is 0 and if so to redirect to https and no matter what I try I can't get the end Content Server to detect "SERVER_PORT_SECURE" as 1 to indicate no redirect since the end Rewrite rule sends it to http://farm/{R:0}.

It works if I route it to https://farm/{R:0} and put the certificate on the content server, but I don't see how this method would be used for multiple sites and multiple content servers.

Does the ARR Helper Module not cover this or how can I force the Content Server to "think" it's using HTTPS?

I'm trying to accomplish this without changing the site code which requires HTTPS essentially.

Thank you!

Jul 07 2010 by AWOMS

AWOMS - it seems like you do not have ARR helper installed.  Can you verify that it installed correctly?  Check applicationhost.config

Aug 10 2010 by anilr

Is there anything we can do for IIS 6?

Aug 25 2010 by Cagwin

Similiar thing can be done using devcentral.f5.com/.../x-forwarded-for-http-module-for-iis7-source-included.aspx

This has source included in case if you want to customize the module.

Sep 07 2010 by samerdhoot

Thanks for the response, you're right it looks like the ARR-Helper wasn't installed on the ARR server. It was installed on the Content servers, but I'm not sure what I'm looking for in either applicationHost.config file.

Sep 23 2010 by AWOMS

hello

I have one ARR v2 server  alongwith 2 webservers (with shared iis configuration)  added to server farm.

I have chosen 'least current  request" as load balance algorithh

after installing arrhelper what else i have to do so as client ip get recorded in site logs instead of arr server IP.

Oct 08 2010 by deep1

Hi

Thanks for the plugin. I'm trying to get this working on Windows 2008 x64. I have FastCGI & PHP installed as I'm running a WP blog.

1) I installed the x64 MSI

2) Put appcmd in PATH

3) From cmd ran appcmd.exe install module /name:requestRouterHelper /image:"C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll"

4) Dont see any configuration options in IIS?

5) Application pool crashes/shutdowns when I try to run site with following error

6) The Module DLL 'C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll' could not be loaded due to a configuration problem. The current configuration only supports loading images built for a x86 processor architecture. The data field contains the error number. To learn more about this issue, including how to troubleshooting this kind of processor architecture mismatch error, see

7) I swited off 32-bit application pool - same error

8) I had to uninstall module to make the site work again.

Can you offer any assistance as we are behind a traffic manager that requires us to interpret the x-forwarded-for as the clients IP.

Thanks

Kosch

Oct 20 2010 by eqkosch

I'm trying to install ARR Helper on a 2k8 R2 web server but, it's not showing up in modules. I've verified that UAC is disabled as well.  Also, I've tried running appcmd.exe install module /name:requestRouterHelper /image:"C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll" but, It get an error saying it can add a duplicate entry. Why is this ARR Helper is not showing up in modules so I'm not sure how this is a duplicate.

Feb 28 2012 by troyjordan

Question: Will Arr Helper still translate X-Forwarded-For headers without ARR installed?

We want to use F5's OneConnect feature, which eliminates my need for ARR, but still requires overcoming the X-Forwarded-For header issue.  I was hoping ARR Helper would be a solution to my issue.

Apr 05 2012 by audio4ears

Update to my Post above:

YES, Arr Helper will still translate X-Forwarded-For headers without ARR installed.

Apr 05 2012 by audio4ears

We just installed this and found an unintended side-effect: Traffic sent from our load balancer (Kemp LoadMaster) on port 8004 is being re-routed to port 80, seemingly by the ARR Helper module. In other words, prior to installing the module requests, a site configured to respond to port 8004 (all IP address, blank host header) suddenly started logging hits to port 80, even though traffic was being sent by LoadMaster to port 8004.

Is there any way to prevent this from happening?

Nov 21 2012 by DaveRand

I am seeing the same thing. It is showing as port 80 in the logs.  How can I fix this?

Dec 20 2012 by K-Dubb

Any update on this?  How can we fix the redirect to port 80?

Thanks.

Jan 02 2013 by K-Dubb

Can you explain how you actually made use of "C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll" ?

Any more settings we need to do on IIS to log x-forwarded-for IP as client IP in IIS Logs ?

Nov 11 2013 by Mason422

Hi -

Same question as Mason422.  I have the ARRHelper and Aplication Request Routing both registered in the IIS modules under the main site, but still showing the NLB IP address in the IIS Logs.

Any help would be great

Jan 06 2014 by kirrill

Hi Experts,

Please suggest me how to set x-forwarded-for on IIS 7. we require client ip address and we used H/W load balance.

Thanks,

Navneet

Jan 28 2014 by navneet8485

I would just like to report that I have installed this on Server 2012 with II8.  It appears to be working.  It's a shame there isn't a more visible, official solution for this.

Apr 01 2014 by Rapzid

@Rapzid Did you need to do anything special?  I am getting pretty inconsitant results when trying to install the helper module on my Server 2012 test farm.  I have tried down grading UAC to every level, including disabled, and yet the ARR Helper will not show up in my modules list.

Apr 01 2014 by pkeenan

@anilr - I'm not sure if you are still supporting this in any way, but I seem to have come across a bug.  When I install the Helper Module on Server 2012 nothing shows up in my module list.  I run the appcmd.exe command [1] to manual add the modules and that succeeds.  However, when I browse to a site hosted on this server I get an HTTP 500.19 [2].  Do you have any idea what would be causing this?  I have UAC disabled and this is a fresh install of IIS 8.

Thanks!

[1] appcmd.exe install module /name:requestRouterHelper /image:"C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll"

[2] 500.19 Error Code, Description: 0x80070490, The configuration section 'system.webServer/proxyHelper' cannot be read because it is missing a section declaration

Apr 01 2014 by pkeenan

Submit a Comment

  • Plain text is accepted.
  • URLs starting with http:// are converted to links.