How do I add client IP to HTTP logs for Azure App Service sitting behind an Application Gateway

Chris Zielin 20

I have an App Service sitting behind an Application Gateway. It is configured to write web logs to both Storage and Analytics. However, the CIp field in these logs only appears to show the internal IPs of the gateway. Not the real client IPs.

This makes the logs of limited use when trying to determine the requests a particular client made.

I see others have asked this going back a few years, but don't see a solid answer on how to fix this. Is this configuration possible?

I managed to get this ISAPI filter from F5 working. When I stream the log output from the App Service I can see the real client IP now. However, when writing to Storage or Analytics it still only shows the internal IP.

https://github.com/yokawasa/azure-webapps-logging-original-clientip

Is there a way to configure Analytics to use the same output that the log stream is using?

If this simply isn't possible is there another way to correlate HTTP requests to actual client IPs?

ajkuma 27,851 Reputation points Microsoft Employee

2023-02-21T12:52:58.46+00:00

Thanks for posting this question. I'm checking on this and will get back to you shortly.

In the interim, I'll leave this open for community members to share their insights.
ajkuma 27,851 Reputation points Microsoft Employee

2023-02-22T12:58:30.4866667+00:00

Following-up, checking if you had a chance to see the previous response.

Just adding to Tchimwa suggestion, from App Service stand-point you may leverage AppServiceHTTPLogstable diagnostic setting from Azure Portal.

The query helps you to fetch info about the CIP(clientIP), to know which client the request is originating from.

As outlined in this doc - AppServiceHTTPLogs capture the [Web Server logging] which contains raw HTTP request data in the W3C extended log file format. Each log message includes data such as the HTTP method, resource URI, client IP, client port, user agent, response code, and so on.
Chris Zielin 85 Reputation points

2023-02-23T19:49:13.0866667+00:00

@ajkuma the AppServiceHTTPLogs table is exactly where I am looking. The CIp field in this table contains internal IP addresses of the gateway. It does not contain the actual client IP as you suggest it should.

Is there something I need to configure to make the CIp field properly populate with the real client IP?
Chris Zielin 85 Reputation points

2023-02-24T17:41:15.2833333+00:00

Thank you. This is not something I have yet tried. Will give it a shot when I'm able.

We have the App Service configured so that clients cannot hit it directly. They must go through the Gateway. Where I'm assuming any potential malicious XFF header would be replaced. Is this sufficient to mitigate an XFF spoofing attack?
Chris Zielin 85 Reputation points

2023-02-24T19:09:38.27+00:00

The ApplicationHost.xdt transform worked! Thank you!

For any future visitors to this thread the file must be placed in the c:\home\site directory within the App Service.

@ajkuma, can you please confirm that by disallowing direct access to the App Service (and routing all requests through the Application Gateway) we are protected from an XFF spoofing attack?
ajkuma 27,851 Reputation points Microsoft Employee

2023-02-27T19:23:02.52+00:00

@Chris Zielin , thanks for the follow-up and update. Glad to know that ApplicationHost.xdt transform worked.

Yes, the approach by restricting direct access to the Web App and enforcing WAF, it should mitigate the risk. All client requests will need to pass through the WAF where XFF is controlled and direct access would not be possible. Nonetheless, please note, still you need to maintain a focus on security and harden any other typical website aspects that you control.

If the answer helped (pointed you in the right direction) > please click Accept Answer
Much appreciate your patience and feedback!
ajkuma 27,851 Reputation points Microsoft Employee

2023-02-28T20:35:23.5166667+00:00

@Chris Zielin , If the answer helped (pointed you in the right direction) > please click Accept Answer.

If you have questions, please let us know. Much appreciate your patience and feedback!
Chris Zielin 85 Reputation points

2023-03-02T05:29:46.32+00:00

@ajkuma, I elevated your solution to an answer with the expectation that it would allow me to mark it as the accepted answer. However, I don't see that option available.
ajkuma 27,851 Reputation points Microsoft Employee

2023-03-02T14:37:33.69+00:00

@Chris Zielin ,

If the answer helped (pointed you in the right direction) > please click Accept Answer.

If you have questions, please let us know. Much appreciate your patience and feedback!
Chris Zielin 85 Reputation points

2023-03-02T15:29:19.35+00:00

@ajkuma, as mentioned above, there is no option for me to Accept Answer.
ajkuma 27,851 Reputation points Microsoft Employee

2023-03-03T08:44:25.6466667+00:00
@Chris Zielin , Much appreciate your follow-up. Apologies for any confusion.

From Q&A platform, there are a few limitations:

You can only accept one answer per question.

You can only accept answers from other users, i.e., you cannot accept your own answer.
Please check this document: Accept an answer on Microsoft Q&A
To benefit the community find the Accepted answer, I'll copy your answer, request you Accept that answer. Thank you very much for your collaboration and feedback on this! Always happy to help!
Chris Zielin 20 Reputation points

2023-03-20T18:28:04.67+00:00

I'm not sure what changed, but when I signed in this time I saw the option to accept answers. Including my own. Previously there was no option to accept any answer. Regardless of author. The answer has now been accepted.
This is the first time I've posted with this particular account. Perhaps there is a waiting period before the forum allows certain operations?
ajkuma 27,851 Reputation points Microsoft Employee

2023-03-21T05:10:18.2166667+00:00

Thanks for the follow-up and Accepting the answer. It's much appreciated!

There is no waiting period for user platform operations' to take affect, as mentioned in the doc Accept an answer on Microsoft Q&A - question author cannot accept their own answer. I'm following with the Q&A platform to understand what changed and reporting this has a concern. Thanks for your observation and feedback!
ajkuma 27,851 Reputation points Microsoft Employee

2023-03-21T05:48:18.83+00:00

Following-up, as per the feedback from our Q&A platform team.

The display name is the same, but you have used two different profiles - hence you were able to Accept the answer.

Question author: ChrisZielin-6707 | Microsoft Learn

Answerer: ChrisZielin-3995 | Microsoft Learn

Accepted answer

Chris Zielin 85 Reputation points

2023-02-24T20:30:54.2566667+00:00
Elevating @ajkuma's solution from the comments so it can be marked as the accepted answer.

Create an ApplicationHost.xdt file with the following content:
<?xml version="1.0"?> <configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform"> <system.webServer> <arrHelper> <trustedProxies xdt:Transform="SetAttributes(trustUnlisted)" trustUnlisted="true" /> </arrHelper> </system.webServer> </configuration>

Make sure your App Service is configured so that it does not allow direct access in order to avoid X-Forwarded-For spoofing attacks.

Upload the file to c:\home\site within your App Service.

Restart the App Service.

Make a request against your site and verify that the AppServicesHTTPLogs.CIp field contains your IP.
Please sign in to rate this answer.

1 person found this answer helpful.
Ashu Gupta 0 Reputation points

2024-12-20T14:21:01.86+00:00

It is not working on my Linux app . please suggest
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

3 additional answers

ajkuma 27,851 Reputation points Microsoft Employee

2023-02-26T19:19:49.7666667+00:00

On Windows clients, we have the ARR Helper, which does some magic plumbing of IIS Request sever variables.  One of which is the REMOTE_ADDR / REMOTE_HOST, and the ARR Helper sets this based on the XFF.

We have a way/approach to override that behavior, by using an ApplicationHost.xdt transform:

 

<?xml version="1.0"?>

<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">

  <system.webServer>

    <arrHelper>

      <trustedProxies xdt:Transform="SetAttributes(trustUnlisted)" trustUnlisted="true" />

    </arrHelper>

  </system.webServer>

</configuration>

 

This will override the existing (secure) behavior, and let you trust the last entry on the list.  And that's what will get logged.  As an important note, if you opt this route, the app is open to XFF spoofing attacks, so you must implement mitigations on your side to counter this. Please check this 3rd party blog article from one of our engineer.

See: https://github.com/projectkudu/kudu/wiki/Xdt-transform-samples
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Tchimwa Sougang 946 Reputation points Microsoft Employee

2023-02-21T13:21:15.4633333+00:00

Hi @Chris Zielin thank you for your question. The AppGW usually adds 6 headers to every requests before routing it to the backend. Look for the header x-forward-for which is composed of and IP and port used by the customers. The IP is your client IP.

https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/application-gateway/how-application-gateway-works.md

Please do not Forget to Accept the Answer if it is helpful so others can benefit from it.
Please sign in to rate this answer.
Chris Zielin 85 Reputation points

2023-02-23T19:45:52.42+00:00

Yes, this is how the ISAPI filter I mentioned in my original post works. It relies upon the X-Forwarded-For header being present in the requests being forwarded to the App Service. The problem is the value in the X-Forwarded-For header is not placed into the CIp field (or anywhere else in the logs) as expected.

How would one "look for the header X-Forwarded-For" in the App Service logs as you suggest?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
ajkuma 27,851 Reputation points Microsoft Employee

2023-03-03T08:50:05.3633333+00:00
Based on the discussions ( in comments + answers), copying the elevated summarized answer from @Chris Zielin @Chris Zielin , to benefit the community find the right accepted answer.
Q&A platform doc: Accept an answer on Microsoft Q&A

Create an ApplicationHost.xdt file with the following content:

<?xml version="1.0"?> <configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform"> <system.webServer> <arrHelper> <trustedProxies xdt:Transform="SetAttributes(trustUnlisted)" trustUnlisted="true" /> </arrHelper> </system.webServer> </configuration>

Make sure your App Service is configured so that it does not allow direct access in order to avoid X-Forwarded-For spoofing attacks.

3.Upload the file to c:\home\site within your App Service.

Restart the App Service.

Make a request against your site and verify that the AppServicesHTTPLogs.CIp field contains your IP.

Much appreciate your feedback and collaboration on this, @Chris Zielin
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How do I add client IP to HTTP logs for Azure App Service sitting behind an Application Gateway

3 additional answers

Your answer