How to add the value of the X-Forwarded-for header into an access log

book

Article ID: 169177

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Typically in "child-parent" / "downstream-upstream" ProxySG deployments the users IP address is not available to the parent proxy. In this scenario data analysis tools are unable to trace traffic back to the original user.

One option for working around this is to leverage the X-Forwarded-For header field to pass on the users IP address to the parent ProxySG. Once the parent ProxySG has the value we can write policy to extract the data and write it to all access logs or a specific access log.

Resolution

The following CPL will achieve two things
  1. it will copy the contents of the X-Forwarded-For field into an existing field in all access logs, in this example we have chosen an unused field, the x-virus-id field, other fields may be used such as the c-ip field but then you will lose this data. an alternative is to create a new log format just for this purpose.
  2. to avoid user IP address leaking out onto the internet this policy suppresses the X-Forwarded-For field
The following policy needs to be applied to the parent ProxySG. This policy can also be created from the VPM 

; This rule rewrites the x-virus-id field to the value of the x-forwarded field to all access logs
;; Tab: [Web Access Layer (1)]
<Proxy>
log.rewrite."x-virus-id"("$(cs(X-Forwarded-For))") log.suppress."x-virus-id"(no)              ; Rule 1
 
;the following will stop the x-forwarded for value from leaking out onto the internet  
             
;; Tab: [SuppressXheader]
<Proxy>
action.SuppressHeader(yes)       ; Rule 1
               
define action SuppressHeader
delete(request.header.X-Forwarded-For)
end action SuppressHeader