X-Forwarded-For log filtering

The “X-Forwarded-For” is a HTTP header commonly used to pass the original client ip address as the web request traverses through reverse proxy servers. Furthermore, to truly capture the request ip address, the web server must be configured to record the ip address from the X-Forward-For header. If not, the log file will simply show that all requests are coming from the reverse proxy servers that frontend the web servers.

In apache, it’s very easy to update the log format to capture the right information. The original LogFormat looks like:

LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

Now simply replace %h with %{X-Forwarded-For}i:

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

For Microsoft IIS, a custom ISAPI filter is required as it does not have a direct way to support the translation of the X-Forwarded-For value into the client ip (c-ip) header value used in its webserver logging. The folks at F5 wrote the necessary ISAP and published it for the world to use. You do not need a F5 BigIP to use this ISAPI filter as it’s IIS-specific. Installation is simple, simply follow the process documented on devcentral.