Does IIS with ARR support fully transparent reverse proxy?

Question

I have got a few web servers running and I want all of them to be accessible via one domain. I set up ARR in IIS as a reverse proxy in another server and it works fine. I, however, need the source ip address to be kept when the requests are redirected to the servers. Otherwise, the servers see all the connections to be originated from localhost, which isn't very good.

I know there is an option forwarded_for which creates X-Forwarded-For header, but it is not really transparent because I have WAF(Web Application Firewall) issue.

Answer 1

Edited:

You need a rewrite rule for each of your websites that are having traffic directed to them from the proxy server. The rule will check to see if the HTTP_X_FORWARDED_FOR header exists and has a value, if it does, then we know the request has been forwarded from the proxy server so we'll set the server variable REMOTE_ADDR to the value of HTTP_X_FORWARDED_FOR because we know that is the true IP address of the user.

Here's the rule:

<rule name="RewriteRemoteAddr">
    <match url="(.*)" />
    <conditions>
        <add input="{HTTP_X_FORWARDED_FOR}" pattern="([_0-9a-zA-Z]+)" />
    </conditions>
    <serverVariables>
        <set name="{REMOTE_ADDR}" value="{HTTP_X_FORWARDED_FOR}" />
    </serverVariables>
    <action type="None" />
</rule>

Answer 2

You can use the ARR Helper to get the actual Client-IP in your logs:

http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx

Answer 3

I'm testing this using the REMOTE_ADDR server variable as documented above but it's not acting as a fully transparent reverse proxy: i still can see as origin IP the reverse proxy one and as HTTP_X_FORWARDED_FOR the original one.

I'm exactly using the above instruction:

<set name="REMOTE_ADDR" value="{HTTP_X_FORWARDED_FOR}" replace="true" />