The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.
WAF provides website security protection through reverse proxy. When a user accesses a domain protected by WAF, an X-Forwarded-For record is added to the HTTP header fields to log the user's real IP. The record format is X-Forwarded-For:User IP. If multiple proxies are involved in the domain access, WAF will log the IP of the proxy server immediately before WAF. For example:
Scenario 1: User > WAF > origin server, the X-Forwarded-For record is:X-Forwarded-For:User Real IP.
Scenario 2: User > CDN > WAF > origin server, the X-Forwarded-For record is:X-Forwarded-For:User Real IP,X-Forwarded-For:CDN Origin Address.
Note:
In Scenario 2, when adding a domain to WAF <1>, select "Yes" for the proxy situation. After selecting proxy access, there might be a risk that the Client IP could be forged. If you use Tencent Cloud CDN, there is no risk of Client IP forgery. Tencent Cloud CDN will reset the X-Forwarded-For information, only entering the Client IP obtained by CDN. (If proxy access is used, an attacker would need the capability to directly request the WAF VIP address for it to be impactful. When proxy access is employed, users cannot detect the WAF VIP address, please avoid leaking the WAF VIP address during proxy access).
1. Download and install the F5XForwardedFor module. Depending on your server operating system version, copy x86\Release or x64\Release directory's F5XFFHttpModule.dll and F5XFFHttpModule.ini files to a directory, assumed here as C:\F5XForwardedFor. Ensure the IIS process has read permission for this directory.
2. Select IIS Server, and double-click the Module feature.
6. After adding, select the F5XForwardedFor module that matches your system version, check it, and click OK.
Note:
The image below is an illustration of the addition. Add according to the corresponding operating system version and installed IIS. If you are unsure of the current system version, you can add both.
7. Add the above two DLL files in "ISAPI and CGI Restrictions" on the IIS server and set the restrictions to allow.
8. Restart the IIS server and wait for the configuration to take effect.
IIS 8.5 and above (including IIS 10.0) configuration scheme
In IIS 8.5 and above (including IIS 10.0), due to the introduction of the enhanced logging feature, the administrator can choose to log additional custom fields from request or response headers or server variables.
1. Open IIS Manager.
2. In the Connect window, select a site or server, and double-click Logs.
Note:
Enhanced logging is only applicable for site-level logging. If you select a server in the “Connections” pane, the “Custom Fields” section of the W3C Logging Fields dialog will be disabled.
3. In the log file format fields, select W3C, click Select Fields.
4. In the W3C log record fields dialog box, click Add Fields....
Note:
Enhanced logging only applies to site-level logging. If the server is selected in the "Connections" pane, "Add Fields..." is disabled.
5. In the Add Custom Fields dialog box, enter a field name to identify the custom field in the log file. For Source Type, select Request Headers, and for Source, enter X-FORWARDED-FOR.
6. Click OK, restart the IIS server for the configuration to take effect.
Apache Configuration Solution
1. If apache2-dev is not installed, install it first using the following commands:
apt-getinstall apache2-dev
2. Install the Apache "mod_rpaf" module using the following commands:
3. Modify the Apache configuration file /etc/httpd/conf/httpd.conf, and add the following at the end:
LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
RPAFsethostname On
RPAFproxy_ips IP addresses //The IP addresses serve as the origin IP addresses for the WAF protected domain. They can be checked in the Web Application Firewall Console, within the domain list for protection configuration, and also in the server backend logs. Simply fill in all the IP addresses that need to be checked.
RPAFheader X-Forwarded-For
4. After addition, restart Apache.
/usr/sbin/apachectl restart
Nginx configuration solution
1. When Nginx is used as a server, to obtain the client's real IP, the http_realip_module must be used. The default installed Nginx does not have the http_realip_module compiled, so Nginx needs to be recompiled with the --with-http_realip_module option in the configure script to ensure the module is included. The compilation code is as follows:
2. Modify nginx.conf. (The paths below are for demonstration purposes. Please configure according to the actual installation path.)
vi /usr/local/nginx/nginx/nginx.conf
Modify the last two lines of the following section:
fastcgi connect_timeout 300;
fastcgi send_timeout 300;
fastcgi read_timeout 300;
fastcgi buffer_size 64k;
fastcgi buffers 4 64k;
fastcgi busy_buffers_size 128k;
fastcgi temp_file_write_size 128k;
set_real_ip_from IP address; //The IP address is the origin IP address of the WAF protected domain, which can be found in the Web Application Firewall console, under the origin IP address list of the domain access.
