Client-ip not logged on application server when using ARR

I have been meaning to blog for a while, but something always seems to get in the way.  So, here is my first blog post.

Let me first introduce myself.  I have been a developer on the IIS team since 1999, from the beginning of the IIS6 product cycle.  I worked on the request processing pipeline for IIS6 and IIS7, including the new native extensibility in IIS7 and integration with the asp.net pipeline to make managed extensibility of IIS pipeline possible.  I know that many people have questions both about the IIS7 native extensibility and the integrated pipeline and I try to answer them in forums whenever I can, but you should send me any topics that you would like me to address in this blog.  Since IIS7 shipped, I have been working on ARR.  We just shipped RTW for v1 of ARR.  We are working on some great new things for the next version of ARR and would definitely love to hear any feature requests or feedback from ARRv1 that we can incorporate into future releases.  But, more on that later.

Today, I am trying to address a specific problem users of ARR (or any other load-balancer that does not do direct server return) have.  Specifically, that the client-ip that gets logged on their application server is the ip of the load-balancer and not the real client-ip.  Also, others have reported problem when using the SSL offloading feature of ARR that since the request to the application is over http which can trip up application logic including any absolute links generated by the application.  Also, there is need to correlate IIS logs between the ARR machine and the content server for troubleshooting or other reasons. I have written a module which you can install on your application servers running IIS7 to take care of these problems.

Download x64 x86

Extract the msi from the zip file and run it.  It will install the module under "%PROGRAMFILES%\IIS\ARR Helper\"  and register the configuration section it uses.  It allows configuration of a few parameters in IIS configuration - you can find them in %windir%\system32\inetsrv\config\schema\arr_helper_schema.xml - they should be pretty self descriptive.  You can use appcmd/AHAdmin/MWA/Config-Editor etc to edit those configuration parameters.

Edit: I have updated the msi downloads to fix a couple of bugs and add a couple of features that people reported.

Edit 11/05/2009: as per suggestions from the forums, I have added feature to the ARR helper to configure ip addresses of trusted proxies.  Only X-Forwarded-For headers from those proxies will be honored.

Comments

1. pure.krome
   July 28, 2009

   Any reason why something like this hasn't been added to IIS7 core or at least an IIS7 feature?
2. barryhagan
   August 19, 2009

   Have you considered allowing an option to choose whether to use the first or last entry in the X-Forwarded-For header?  We'd love to use this helper for sites that are CDN enabled, but currently your helper uses the last proxy device on the CDN instead of the originating client.  For example, a header of  X-Forwarded-For: 192.168.1.1, 192.168.100.1, 192.168.200.1  causes you to set REMOTE_ADDR to 192.168.200.1 but in this case the origin of the request is actually 192.168.1.1
3. MaxASPSteve
   September 3, 2009

   I have had good luck with this tool, we are using ARR behind ServerIron LB's, and this tool accurately reports the client IP both in the W3SVC logs and in my test page:

   <%@ LANGUAGE="VBSCRIPT" %>

   <HTML>

   <HEAD>

   <TITLE>Client IP Test Page</TITLE>

   <% ClientIP=Request.ServerVariables("REMOTE_HOST")%>

   </HEAD>

   <BODY>

   <p>

   Your IP Address is <% Response.Write(ClientIP) %>

   </p>

   </BODY>

   </HTML>
4. anilr
   October 5, 2009

   Barry - it has been requested to allow configuring a set of trusted proxies so only X-Forwarded-For headers from them are used - this is something I will get to at some point.

   Krome - why does it matter whether or not this is a part of IIS - ARR itself is currently not part of IIS.
5. jreed5
   October 20, 2009

   Yes - do you know if this will this run on an IIS 6 server?

   Also, it would be nice if it became a native tool of IIS.  That way MS would potentialy update/continue to develop the tool.

   Just in case you win the lottery :-)

   Thanks!
6. anilr
   November 5, 2009

   No, this will only run on IIS7+
7. joepruitt
   November 23, 2009

   Anil, is there any chance you could pass along the source.  I'm working on a module and this would be a great starting point.

   -Joe
8. soneric
   December 11, 2009

   Anil, I assume I have to manually add requestRouterHelper after install.

   Is it correct command to instal the module:

   > appcmd.exe install module /name:requestRouterHelper /image:"C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll"

   ?

   Running this command I've got successfull install of a module but my sites stops working normally (errors 500 and 503 are logged).

   What could be a problem?

   The server is running Windows WebServer 2008 (x86) so I've installed x86 binary.
9. anilr
   January 8, 2010

   soneric, the install for the ARR helper will take care of installing the module.