Implement X-Forwarded-For Header to get Real Client IP Address (Who's on)
Idea shared by Jairo Marques - 11/24/2017 at 4:06 PM
Hi Guys,
The X-Forwarded-For (XFF) HTTP header field is a standard method for identifying the originating IP address of a client connecting to a server through any proxy.

Proxies like KEMP LoadMaster, TMG (with a plugin), pfSense and others allows us to give the client's IP to the destination Real Server by inserting an additional HTTP header (called X-Forwarded-For) when L7 is used with non-transparency.

This option of inserting the HTTP header (called X-Forwarded-For) allows the client source IP address to be logged by the Real Server's IIS logs.

My idea is that SmartTrack use this method to catch the real client IP Address and use in Who's On feature.

Something like:

var forwardedFor = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];

var userIpAddress = String.IsNullOrWhiteSpace(forwardedFor) ?
    Request.ServerVariables["REMOTE_ADDR"] : forwardedFor.Split(',').Select(s => s.Trim()).First();

5 Replies

Reply to Thread
I have the same issue with haproxy in front of SmarterMail for all protocolls.

Please have a look on these feature request.

Thanks & regards
Andrew Barker Replied
Employee Post
After internal discussion, we have decided not to implement this feature. Implementing this would run the risk of exposing private IP addresses and could break our IP geolocation functionality.
Andrew Barker Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
Thanks for the reply. I can't really see that these are hard arguments to not implement. I'm a datacenter/application design expert for more than 10 years. For an up to date application design fulfilling security aspects a proxy/sec geteway ... is absolutely necessary. Best would be

Proxy/Sec Gateway -> Application/web Server -> Backend Data store

No way to expose an application/http server direct to the internet. Always use something like F5 LBL, haproxy, nginx, apache, IIS. Not to talk ablot load balancing, HA setups and SSL offloading.

To fulfill these major app design rules, it's an absolutely need to implement X-Forwarded-For header (https://tools.ietf.org/html/rfc7239) and the proxy protocoll (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). A lot of applications do so right now!

Without these features, all IP restrictions, protocoll information / geolocation is wothless when using an security based application design.

So I would really appreciate to think about these really necessary feature for the Web and mail services (imap, smtp ...)

Many Thanks and best regards
Andrew Barker Replied
Employee Post
Mail Server,

This thread only pertains to SmarterTrack. You can look under SmarterMail for a similar discussion. If you cannot find one, feel free to get one started.
Andrew Barker Software Developer SmarterTools Inc. (877) 357-6278 www.smartertools.com
I am going to share my two cents here... I couldn't find a SmarterStats-specific topic for x-forwarded-for, so I decided to add to this one.

X-forwarded-for is VERY commonly used to identify the source of user activity from outside a load balancer.  It's not just used for proxies.

We host our infrastructure in AWS, behind an Elastic Load Balancer.  Because the c-ip column in the IIS logs then reflects the IP addresses of the load balancers, all our website traffic appears to come from three IP addresses in SmarterStats.  This effectively makes the product almost useless.

I don't fully follow the security concern.  Even if someone was trying to parse logs from a proxy, they already have access to the raw logs and can see the originating IP address anyway.

I disagree with the IPgeolocation functionality being broken by adding support for this.  You would simply create a dropdown in the stats property profile to use x-forwarded-for instead of c-ip from the logs.  This would be used or any IP-specific features, including geolocating the IP of the ACTUAL end user.  It is completely useless to geolocate the IP of our load balancers in the c-ip column -- we know where they are (sitting down the isle from the web servers).

In summary, I feel that your SmarterStats product is effectively broken without supporting x-forwarded-for, which is becoming way more popular as more and more websites migrate to multi-machine web farms and/or the cloud.

Reply to Thread