碼上快樂

相關內容    簡體    繁體

IIS日志如何記錄X-Forwarded-For

本文轉載自   查看原文   2019-07-29 14:34   419    運維

起因

最近因為某個站點的流量異常,需要統計一下服務器的來源IP,本來開一下IIS日志就能搞定的事兒,但不幸的是生產服務器使用F5做了負載均衡,IIS日志無法記錄到真實IP,真實的IP在“x-forwarded-for”中,baidu了一堆,沒幾個靠譜的,還好有個bing能用,很快找到了下這篇文章,文章寫的條理清晰,淺顯易懂,立馬轉了過來,省的什么時候又給牆了,大家看原文吧,我懶得翻譯了。

原文:http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/

What's the issue?

When you load balance your website at layer 7, it will become non-transparent. This means that the actual client source IP address is replaced by the load balancer's own IP address - and only this address will be recorded in the IIS logs.
One way around this is to insert XFF headers on the load balancer to track the actual client source IP address. IIS can then be reconfigured to make this data available in the logs.
NB. The other options to gain source IP transparency are to configure the load balancer in layer 4 NAT mode, layer 4 DSR mode or Layer 7 with TPROXY enabled.

The solution - how to modify logging behaviour

The steps required depend on your version of IIS.

IIS 8.5 & later

A custom logging field can be added to record XFF headers.
To enable this feature:

  1. Start IIS Manager, then on the Connections pane on the left, click the appropriate website where you want to enable XFF logging. The Home page is then displayed in the main panel.
  2. From the Home page, double-click Logging.
  3. From the Log File section, click Select Fields.
  4. From the bottom left corner, click Add Field.
  5. In the Add Custom Field window, complete the following:
    • in Field Name, type X-Forwarded-For
    • in Source, type X-Forwarded-For
    • leave Source Type set to ‘Request Header’
    • click OK on the Add Custom Field window
    • click OK on the W3C Logging Fields window
  6. From the Actions pane on the right, click Apply to implement the change.
  7. The log files are located by default in the directory %SystemDrive%\inetpub\logs\LogFiles. IIS creates new log files and appends “_x” to the log file names to indicate that they contain custom fields.

UIIS 7 & IIS 7.5

For IIS 7 & 7.5 the Advanced Logging add-on must be installed. This can be downloaded here. Once installed on the IIS server, you'll see an extra option called 'Advanced Logging' in IIS.
To configure and enable Advanced Logging:

  1. Start IIS Manager, then on the Connections pane on the left, click the server, website or directory where you want to configure Advanced Logging. The related Home page is displayed in the main panel.
  2. From the Home page, under IIS, double-click Advanced Logging.
  3. From the Actions pane on the right, click Enable Advanced Logging.
  4. From the Actions pane on the right, click Edit Logging Fields.
  5. On the Edit Logging Fields window click Add Field, and then complete the following:
    • in Field ID, type ClientSourceIP
    • in Category, type *Default *
    • in Source type, select Request Header
    • in Source name, type X-Forwarded-For
    • click OK on the Add Logging Field form
    • click OK on the Edit Logging Fields form
  6. From the Actions pane on the right, click Add Log Definition.
  7. Enter Client Source IP in the Base file name field.
  8. Click Select Fields.
    • Check (enable) the ClientSourceIP field created earlier
  9. Click OK on the Select Logging Fields form, then click Apply in the actions pane.
  10. Click Return To Advanced Logging in the actions pane.
  11. Run iisreset /restart to apply the new settings.
  12. The advanced log must be viewed rather than the default log. The advanced log is located in %SystemDrive%inetpublogsAdvancedLogs. To view the logs, right-click the Client Source IP log definition and click View Log Files.

IIS 6

Unfortunately, the Microsoft solution mentioned above is not available for IIS 6. Luckily there are a number of other solutions - some costing money and others that have been released as open source. One excellent example that we've tested with our products is F5's X-Forwarded-For ISAPI filter. It's available in both in 32- and 64-bit versions.

  1. Download the zipped archive from here and extract to an appropriate folder.
  2. Navigate to the relevant version (32- or 64-bit).
  3. Copy F5XForwardedFor.dll to a suitable location on your server, e.g. C:ISAPIfilters.
  4. Make sure you have ISAPI Filters enabled on your IIS server.
  5. Open IIS Manager, right-click the site and select Properties.
  6. Select the ISAPI Filters tab.
  7. Click add, then in the popup enter a suitable name and select the DLL file stored in step 3.
  8. Restart your website.

后記

關於IIS日志分析,這里再推薦個工具HttpLogBrowser(傳送門),基本上大部分的統計需求都可以滿足,實在是居家旅行之必備。

補充

其實還有個方法,可以直接在IIS日志里輸出,就是使用F5XForwardedFor,注冊完成后重啟IIS,就會在日志里直接輸出(傳送門),我試了也是可行的,但不知道是不是官方方案,生產沒敢搞。


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 X-Forwarded-For (IIS日志記錄用戶真實IP) X-Forwarded-For注入漏洞過程記錄 爆庫記錄(X-Forwarded-For注入漏洞實戰 記錄) X-Forwarded-For和Referer Nginx 與 X-Forwarded-For tomcat記錄X-Forwarded-For字段中的遠程IP X-Forwarded-For注入漏洞 X-Forwarded-For偽造及防御 IIS利用X-Forwarded-For獲得來訪者的真實IP X-real-ip與X-Forwarded-For
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM