IIS IP Logging through reverse Proxy (Cloudflare)

httpiis-7.5reverse-proxyrewrite

I'm using an IIS server behind the nice "Cloudflare" reverse proxy.

This reverse proxy farm exposes a HTTP header to my server, namely HTTP_CF_CONNECTING_IP. It contains the IP that connects to Cloudflare, so I can actually see who's connecting.

Now I of course want to log these IPs. Cloudflare has a little web.config script that uses the IIS REWRITE option to change the REMOTE_ADDR server variable.

        <rules>
            <clear />
            <rule name="Replace REMOTE_ADDR with CF_CONNECTING_IP" enabled="true">
                <match url="(.*)" />
                <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                    <add input="{HTTP_CF_CONNECTING_IP}" pattern="\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" />
                </conditions>
                <serverVariables>
                    <set name="REMOTE_ADDR" value="{HTTP_CF_Connecting_IP}" />
                </serverVariables>
                <action type="None" />
            </rule>
        </rules>

Does this actually affect logging? Also: Does this affect what I get when I look at the request IP when running, for example, an ASP.NET application or a PHP script?

If it does, why does this exist: http://devcentral.f5.com/weblogs/Joe/archive/2009/12/23/x-forwarded-for-http-module-for-iis7-source-included.aspx

When we can just use IIS rewrite, what advantage does THIS get me?

Best Answer

Yes, this web.config "script" from Cloudflare does affect logging by capturing the IP address of the client (connecting) user that connected to the proxy and delivers it to your destination server via the server variable REMOTE_ADDR. Otherwise, you'd see the IP address of the proxy server as the requesting IP address.

I think this will work with ASP.NET applications but will NOT work with PHP applications. For those I would think you would need something along the lines of:

http://drupal.org/project/cloudflare (though I realize that is Drupal specific it is basically a PHP version of the ASP.NET way you listed)

The reason the F5 solution exists is to handle this on the Proxy Server side. Both the ASP.NET solution listed here, and the PHP solution listed for Drupal seem to be utilizing a value that CloudFlare is forwarding (HTTP_CF_Connecting_IP) and are intended to be used on the destination server.

I realize it has been a while since you asked this question but I figured this answer might help others even if you've already arrived at an answer/solution.

Related Topic