How to add the value of the X-Forwarded-for header into an access log
Article ID: 169177
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
Typically in "child-parent" / "downstream-upstream" ProxySG deployments the users IP address is not available to the parent proxy. In this scenario data analysis tools are unable to trace traffic back to the original user.
One option for working around this is to leverage the X-Forwarded-For header field to pass on the users IP address to the parent ProxySG. Once the parent ProxySG has the value we can write policy to extract the data and write it to all access logs or a specific access log.
Resolution
The following CPL will achieve two things
; This rule rewrites the x-virus-id field to the value of the x-forwarded field to all access logs
;; Tab: [Web Access Layer (1)]
<Proxy>
;the following will stop the x-forwarded for value from leaking out onto the internet
;; Tab: [SuppressXheader]
<Proxy>
define action SuppressHeader
- it will copy the contents of the X-Forwarded-For field into an existing field in all access logs, in this example we have chosen an unused field, the x-virus-id field, other fields may be used such as the c-ip field but then you will lose this data. an alternative is to create a new log format just for this purpose.
- to avoid user IP address leaking out onto the internet this policy suppresses the X-Forwarded-For field
; This rule rewrites the x-virus-id field to the value of the x-forwarded field to all access logs
;; Tab: [Web Access Layer (1)]
<Proxy>
log.rewrite."x-virus-id"("$(cs(X-Forwarded-For))") log.suppress."x-virus-id"(no) ; Rule 1
;the following will stop the x-forwarded for value from leaking out onto the internet
;; Tab: [SuppressXheader]
<Proxy>
action.SuppressHeader(yes) ; Rule 1
define action SuppressHeader
delete(request.header.X-Forwarded-For)
end action SuppressHeader Feedback
Yes
No
Powered by
