Logging the downstream client IP in the access log of the upstream ProxySG in a proxy chain


<< Back to Knowledge Search

Solution

Overview

Logging the downstream client IP in the access log of the upstream ProxySG in a proxy chain
You want to log the downstream client IP in the access log of the upstream proxy in a proxy chain

Cause
Resolution

In proxy chaining environments, the upstream (or parent) proxy logs all traffic as originating from the downstream (or child) proxy. To have the upstream proxy log the originating client's IP in its access logs,  modify both the downstream and upstream proxies. The modification is to configure the downstream proxy to add an HTTP header showing the originating client's IP, and to configure policy on the upstream proxy to modify access logging based on this added header.

To set this up, perform the following:

On the downstream ProxySG (the proxy that the clients communicate to first):

  1. Issue the following command in the CLI:

    ProxySG#(config) http add-header x-forwarded-for
    ok

On the upstream ProxySG:

  1. In the VPM, create a new Web Access Layer by selecting Policy > Add Web Access Layer.

     
  2. Right-click the Source field and select Set > New > Request Header.

    Header Name: X-forwarded-For
    Header Regex: . (note there is a dot here)

     
  3. Right-click the Action field and select Set > Override Access Log Field.

    Log Name: [All]
    Field Name: c-ip
    rewrite value to:$(request.header.X-Forwarded-For)

     
  4. Install the policy.
Workaround
Additional Information
Bug Number
InQuira Doc IdKB1892
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5
Topic      Access Logging, Policy Management
Article Number      000012257
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat