Two ways to use IIS to call X-Forwarded-For Header (XFF) to record the visitor's real IP

Problem: The website published through IIS is placed behind the F5 device. After being filtered by the WAF device in transparent monitoring mode, the real IP address of the public network visitor is replaced by the IP address of the WAF device, and the original real IP address cannot be seen in the website log.

Solution 1: Use a third-party IIS plug-in to call X-Forwarded-For to obtain the visitor's real IP address, solving the problem that IIS cannot record the user's IP address after being placed on f5.
Solution 2: Use Microsoft's official advanced log module function to call X-Forwarded-For to record the real IP address;

Please note that both of the above solutions require the WAF administrator to define X-Forwarded-For data forwarding on the F5 device before use!

Scenario 1:

And unzip the F5XForwardedFor file.

Download address: https://www.jb51.net/softs/770998.html

Copy F5XFFHttpModule.dll and F5XFFHttpModule.ini in the x86\Release or x64\Release directory to a directory, such as C:\F5XForwardedFor\, according to your server operating system version. Make sure the IIS process has read permissions to the directory.

Open IIS Manager and double-click the module feature.

Click Configure Native Module, and then in the dialog box that pops up, click Register.

Add the downloaded .dll file (it is best to add both x64 and x86)

Authorize the two files you added to allow ISAPI and CGI extensions to run.

After returning to the home page, restart IIS:

Go to %SystemDrive%\inetpub\logs\LogFiles to query the IIS log, and you can see that the log already contains relevant original IP information.

Scenario 2:

Download and install IIS advanced logging function https://www.microsoft.com/en-gb/download/details.aspx?id=7211

Re-enter the IIS homepage and double-click to open the advanced logging function:

To activate advanced logging:

Modify the local log field configuration and add fields:

Enter "ClientSourceIP" in Field ID.

Select "Default" in Category;

Select "Request Header" for Source type;

Enter "X-Forwarded-For" in Source name;

Add log definition:

Enter "Client Source IP" in the "Base file name" field; then click the "Select Fields" button and select "ClientSourceIP"; finally click "Apply" and return to the home page;

After returning to the home page, restart IIS:

By querying the advanced log, you can get the visitor's original IP information:

This concludes this article about two methods of IIS calling X-Forwarded-For Header (XFF) to record the visitor's real IP address. For more information about IIS calling X-Forwarded-For, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope you will support 123WORDPRESS.COM in the future!