Client-ip not logged on application server when using ARR

I have been meaning to blog for a while, but something always seems to get in the way.  So, here is my first blog post.

Let me first introduce myself.  I have been a developer on the IIS team since 1999, from the beginning of the IIS6 product cycle.  I worked on the request processing pipeline for IIS6 and IIS7, including the new native extensibility in IIS7 and integration with the asp.net pipeline to make managed extensibility of IIS pipeline possible.  I know that many people have questions both about the IIS7 native extensibility and the integrated pipeline and I try to answer them in forums whenever I can, but you should send me any topics that you would like me to address in this blog.  Since IIS7 shipped, I have been working on ARR.  We just shipped RTW for v1 of ARR.  We are working on some great new things for the next version of ARR and would definitely love to hear any feature requests or feedback from ARRv1 that we can incorporate into future releases.  But, more on that later.

Today, I am trying to address a specific problem users of ARR (or any other load-balancer that does not do direct server return) have.  Specifically, that the client-ip that gets logged on their application server is the ip of the load-balancer and not the real client-ip.  Also, others have reported problem when using the SSL offloading feature of ARR that since the request to the application is over http which can trip up application logic including any absolute links generated by the application.  Also, there is need to correlate IIS logs between the ARR machine and the content server for troubleshooting or other reasons. I have written a module which you can install on your application servers running IIS7 to take care of these problems.

Download x64 x86

Extract the msi from the zip file and run it.  It will install the module under "%PROGRAMFILES%\IIS\ARR Helper\"  and register the configuration section it uses.  It allows configuration of a few parameters in IIS configuration - you can find them in %windir%\system32\inetsrv\config\schema\arr_helper_schema.xml - they should be pretty self descriptive.  You can use appcmd/AHAdmin/MWA/Config-Editor etc to edit those configuration parameters.

Edit: I have updated the msi downloads to fix a couple of bugs and add a couple of features that people reported.

Edit 11/05/2009: as per suggestions from the forums, I have added feature to the ARR helper to configure ip addresses of trusted proxies.  Only X-Forwarded-For headers from those proxies will be honored.

Technorati Tags: ,,

41 Comments

  • Any reason why something like this hasn't been added to IIS7 core or at least an IIS7 feature?

  • Have you considered allowing an option to choose whether to use the first or last entry in the X-Forwarded-For header? We'd love to use this helper for sites that are CDN enabled, but currently your helper uses the last proxy device on the CDN instead of the originating client. For example, a header of X-Forwarded-For: 192.168.1.1, 192.168.100.1, 192.168.200.1 causes you to set REMOTE_ADDR to 192.168.200.1 but in this case the origin of the request is actually 192.168.1.1

  • I have had good luck with this tool, we are using ARR behind ServerIron LB's, and this tool accurately reports the client IP both in the W3SVC logs and in my test page:




    Client IP Test Page




    Your IP Address is




  • Barry - it has been requested to allow configuring a set of trusted proxies so only X-Forwarded-For headers from them are used - this is something I will get to at some point.
    Krome - why does it matter whether or not this is a part of IIS - ARR itself is currently not part of IIS.

  • Yes - do you know if this will this run on an IIS 6 server?

    Also, it would be nice if it became a native tool of IIS. That way MS would potentialy update/continue to develop the tool.
    Just in case you win the lottery :-)

    Thanks!

  • No, this will only run on IIS7+

  • Anil, is there any chance you could pass along the source. I'm working on a module and this would be a great starting point.

    -Joe

  • Anil, I assume I have to manually add requestRouterHelper after install.
    Is it correct command to instal the module:
    > appcmd.exe install module /name:requestRouterHelper /image:"C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll"
    ?
    Running this command I've got successfull install of a module but my sites stops working normally (errors 500 and 503 are logged).
    What could be a problem?
    The server is running Windows WebServer 2008 (x86) so I've installed x86 binary.

  • soneric, the install for the ARR helper will take care of installing the module.

  • Just installed this on two of or test servers and I'm having an issue with the default app pool shutting down. Will the x64 version not work correctly in Server 2008 R2?

  • smccloud, your shutdown issues are most definitely not due to ARR helper, you need to investigate them independently.

  • Anil, why doesn't this install on servers with "shared configuration" enabled? I'm running two IIS 7 Servers behind an F5 and I'd like these servers to track client IP. Shared configuration is important so the ARR rules are always in sync.

  • If there are no errors executing the .msi is the helper active? Do I have to enable the helper somewhere else? The xml configuration files looks appropriate (I'm just trying to get the real client IP using x-forwarded-for).

  • Posting this twice because I was logged in as anonymous on the first posting. Anyway, is this supposed to work for ARR v2 as well. I've installed this module on a test web server with no effect. I've also installed it on my ARR test server just in case, also no effect. Please advise.

  • @mcataldo - installing on servers with shared configuration enabled has a few problems
    a) the web server should ideally only have read access to the shared applicationhost.config
    b) the config should only be updated by one of the installs and only after the binary has been installed on all the machines - this could be achieved by having a "binary only" and "binary + configuration" installation mode, but the current installation does not do it.

    If the installation succeeded, ARR helper is active, the configuration only controls what header ARR helper uses for its various functionality, the default values match ARR's default values.

    @adrianmaule - this should work against any load balancer which adds the client's ip address to a request header which includes ARRv1 and ARRv2.

  • We've installed the ARR helper and do not see it listed under modules within the IIS console. Additionally, after installing we still are not getting the client IP. Any help would be appreciated.

  • Found the issue. It appears you cannot have UAC enabled when installing the ARR helper.

  • I have installed and uninstalled this several times. The IP is not showing in the the IIS logs. I do not see the module in IIS. What am I doing wrong? I am runnning a clean install of Server 2008 with only IIS added.

  • TroyJordan was correct. You must disable UAC before installing this. It will not error or tell you that it did not install correctly.

  • Hello,

    How does the module resolve the issue for sites that have code to check for and require SSL? The module seems to be working as far as passing the HTTP_X_ARR_SSL and HTTP_X_ARR_LOG_ID and HTTP_X_FORWARDED_FOR variables, however, the site code is checking if "SERVER_PORT_SECURE" is 0 and if so to redirect to https and no matter what I try I can't get the end Content Server to detect "SERVER_PORT_SECURE" as 1 to indicate no redirect since the end Rewrite rule sends it to http://farm/{R:0}.

    It works if I route it to https://farm/{R:0} and put the certificate on the content server, but I don't see how this method would be used for multiple sites and multiple content servers.

    Does the ARR Helper Module not cover this or how can I force the Content Server to "think" it's using HTTPS?

    I'm trying to accomplish this without changing the site code which requires HTTPS essentially.

    Thank you!

  • AWOMS - it seems like you do not have ARR helper installed. Can you verify that it installed correctly? Check applicationhost.config

  • Is there anything we can do for IIS 6?

  • Similiar thing can be done using http://devcentral.f5.com/weblogs/Joe/archive/2009/12/23/x-forwarded-for-http-module-for-iis7-source-included.aspx

    This has source included in case if you want to customize the module.

  • Thanks for the response, you're right it looks like the ARR-Helper wasn't installed on the ARR server. It was installed on the Content servers, but I'm not sure what I'm looking for in either applicationHost.config file.

  • hello

    I have one ARR v2 server alongwith 2 webservers (with shared iis configuration) added to server farm.
    I have chosen 'least current request" as load balance algorithh
    after installing arrhelper what else i have to do so as client ip get recorded in site logs instead of arr server IP.

  • Hi
    Thanks for the plugin. I'm trying to get this working on Windows 2008 x64. I have FastCGI & PHP installed as I'm running a WP blog.
    1) I installed the x64 MSI
    2) Put appcmd in PATH
    3) From cmd ran appcmd.exe install module /name:requestRouterHelper /image:"C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll"
    4) Dont see any configuration options in IIS?
    5) Application pool crashes/shutdowns when I try to run site with following error
    6) The Module DLL 'C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll' could not be loaded due to a configuration problem. The current configuration only supports loading images built for a x86 processor architecture. The data field contains the error number. To learn more about this issue, including how to troubleshooting this kind of processor architecture mismatch error, see
    7) I swited off 32-bit application pool - same error
    8) I had to uninstall module to make the site work again.
    Can you offer any assistance as we are behind a traffic manager that requires us to interpret the x-forwarded-for as the clients IP.
    Thanks
    Kosch

  • I'm trying to install ARR Helper on a 2k8 R2 web server but, it's not showing up in modules. I've verified that UAC is disabled as well. Also, I've tried running appcmd.exe install module /name:requestRouterHelper /image:"C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll" but, It get an error saying it can add a duplicate entry. Why is this ARR Helper is not showing up in modules so I'm not sure how this is a duplicate.

  • Question: Will Arr Helper still translate X-Forwarded-For headers without ARR installed?

    We want to use F5's OneConnect feature, which eliminates my need for ARR, but still requires overcoming the X-Forwarded-For header issue. I was hoping ARR Helper would be a solution to my issue.

  • Update to my Post above:

    YES, Arr Helper will still translate X-Forwarded-For headers without ARR installed.

  • We just installed this and found an unintended side-effect: Traffic sent from our load balancer (Kemp LoadMaster) on port 8004 is being re-routed to port 80, seemingly by the ARR Helper module. In other words, prior to installing the module requests, a site configured to respond to port 8004 (all IP address, blank host header) suddenly started logging hits to port 80, even though traffic was being sent by LoadMaster to port 8004.

    Is there any way to prevent this from happening?

  • I am seeing the same thing. It is showing as port 80 in the logs. How can I fix this?

  • Any update on this? How can we fix the redirect to port 80?

    Thanks.

  • Can you explain how you actually made use of "C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll" ?

    Any more settings we need to do on IIS to log x-forwarded-for IP as client IP in IIS Logs ?

  • Hi -
    Same question as Mason422. I have the ARRHelper and Aplication Request Routing both registered in the IIS modules under the main site, but still showing the NLB IP address in the IIS Logs.
    Any help would be great

  • Hi Experts,

    Please suggest me how to set x-forwarded-for on IIS 7. we require client ip address and we used H/W load balance.


    Thanks,
    Navneet

  • I would just like to report that I have installed this on Server 2012 with II8. It appears to be working. It's a shame there isn't a more visible, official solution for this.

  • @Rapzid Did you need to do anything special? I am getting pretty inconsitant results when trying to install the helper module on my Server 2012 test farm. I have tried down grading UAC to every level, including disabled, and yet the ARR Helper will not show up in my modules list.

  • @anilr - I'm not sure if you are still supporting this in any way, but I seem to have come across a bug. When I install the Helper Module on Server 2012 nothing shows up in my module list. I run the appcmd.exe command [1] to manual add the modules and that succeeds. However, when I browse to a site hosted on this server I get an HTTP 500.19 [2]. Do you have any idea what would be causing this? I have UAC disabled and this is a fresh install of IIS 8.

    Thanks!

    [1] appcmd.exe install module /name:requestRouterHelper /image:"C:\Program Files\IIS\ARR Helper\requestRouterHelper.dll"

    [2] 500.19 Error Code, Description: 0x80070490, The configuration section 'system.webServer/proxyHelper' cannot be read because it is missing a section declaration

  • I have disabled UAC and installed ARR Helper on Windows Server 2008 R2 64 bits systems. However IIS is still not logging the source IP but the proxy. I see reference to a file called 'applicationhost.config' and am wonder where this file should be? I did a search and there are 3 copies of applicationhost.config, all under C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.xxx...... Do I need to update the applicationhost.config file before ARR Helper will work? Do I need to setup the trust list on the scheme file if I want to log all access to web sites on the server? And I don't see any module under IIS section too, what is the name of the module that show up in there? And do I need to install the requestRouterHelper.dll manual? Seems to me that some say 'yes', and some say 'no'. Thanks.

  • I can confirm that the ARR Helper works just fine on WS 2012 R2.

    @laman & @pkeenan - Did you install using the requestrouterhelper_x64.msi ? Or did you manually copy the DLL over to the worker server? If you used the .msi, then the applicationHost.config should have already been correctly updated with the correct configuration, and the arr_helper_schema.xml file should have been correctly placed in the %SystemRoot%\system32\inetsrv\config\schema directory.

    @kirrill - requestRouterHelper can only be configured as a global module (system.webServer/globalModules section); you do not configure it at the site level. Also, same question to you: did you install by manually coping files, or from the .msi? Also, you should only install the requestRouterHelper on the *worker* boxes, not on the ARR box. Further, you shouldn't install ARR on the *worker* boxes.

    NOTE: Just to clarify: When you install ARR via MSI (requestRouter_{flavor}.msi), it places the requestRouterHelper_{flavor}.msi in the "%ProgramFiles%\IIS\Application Request Routing" directory. You should then copy the requestRouterHelper_{flavor}.msi to your worker boxes and run the requestRouterHelper_{flavor}.msi. (where: {flavor} = {x64 | x86})

    If you install the helper using the MSI, you shouldn't need to do anything else to make the helper work! The MSI install should copy the ARR helper schema file to the right place, make the edits to the applicationHost.config file, and you should be good-to-go.

    This has been tested & verified in ARRv3.

  • You CAN install this module with UAC enabled

    We use this little trick to install our Exchange patches also since we do not want to disable UAC.

    Just open a Command prompt by right clicking on it and selecting to "Run as Administrator"
    Then CD to your folder where the MSI is located and run it from CMD.

    This way you elevate the MSI installer and it installs correctly without the need to reduce the security of your server.

Comments have been disabled for this content.