This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 46%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Hi,
I have configured Application Gateway (WAF) to accept traffic for a backend (web) server. The "public" can access the web server. Good!
But, the backend server sees requests via its logs as coming from the Application Gateway (via its private IP Address) and not on the requesting "public" IP Address.
How do I configure WAF so that it will preserve/pass the requests as coming from public P address (not the private IP address)?
Thanks.
Hello @Gregorio Montaño
Thanks for posting your question.
If I am not mistaken, you may need to use a Load balancer instance/appliance to do that... WAF is a L7 load Balancer so, it uses session-based cookie as it is described below:
I hope this may help you...
Regards,
Thanks @risolis for sharing your input.
I am progressing with the suggestion of @GitaraniSharma-MSFT .
Regards,
Hello @Gregorio Montaño
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to configure your Application gateway WAF to preserve the client IP addresses, so that the backend server can see the actual client IP instead of Application gateway IP.
We are unable to preserve the client IP because the Application gateway is a proxy. It will replace the original client IP with the Application gateway instance IP and forward requests to the backend server. However, Application gateway inserts extra headers to all requests before it forwards the requests to the backend. It includes the x-forwarded-for header which has the original client IP information.
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/how-application-gateway-works#modifications-to-the-request
You can configure Application gateway to modify request and response headers and URL by using Rewrite HTTP headers and URL or to modify the URI path by using a path-override setting. However, unless configured to do so, all incoming requests are proxied to the backend.
You can use header rewrite to remove the port information from the X-Forwarded-For header to only keep the IP addresses.
Refer : https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#remove-port-information-from-the-x-forwarded-for-header
Kindly let us know if the above helped or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hi @GitaraniSharma-MSFT ,
Thank you for your quick reply.
I have created the "header rewrite" suggested in your last link. I tried both {var_add_x_forwarded_for_proxy} and {var_client_ip} and restarted backend service but it was still logging the Application Gateway IP address.
I am using Standard_v2 SKU for my Application Gateway which from links you have provided should handle both have the URL and HTTP header rewrite feature.
Any other configs that I need to check?
Thanks.
Hello @Gregorio Montaño ,
Thank you for the update.
Do you have an Azure Firewall in your setup?
Also, could you share the header rewrite configuration that you added in your Application gateway?
Regards,
Gita
I don't use Azure Firewall in the setup.
Here is the config:
Hello @Gregorio Montaño ,
Apologies for the delay in response.
Thank you for sharing the screenshot of the header rewrite config.
Are you checking the client IP in the backend server logs or WAF logs?
Also, what is in the backend of your App gateway? Is it IIS servers?
I will discuss this issue further with the backend team and keep you posted.
Regards,
Gita
Hello @Gregorio Montaño ,
Could you please share the below requested details?
Regards,
Gita
Hi Gita,
Thank you for following up.
I did an update on the config of the backend application and looks like it is now picking up the client IP address.
I'll observe and close this by end of week.
Thanks.
Hello @Gregorio Montaño ,
Thank you for the update.
Please share the solution in the answer section (if possible), if it works.
Regards,
Gita
This is for applicable for Nginx as backend and would have something like this:
log_format main '$http_x_forwarded_for - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent"' ;
access_log /var/www/site/logs/access.log main;
I have missed the main for the access_log part.
Thank you for sharing the solution, @Gregorio Montaño . Appreciate it!
Glad to hear that it worked.
Regards,
Gita
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 82%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYG%3C/text%3E%3C/svg%3E)
Hello,
I am trying to keep the original public address of the client that connects to one of my sites in IIS, I did exactly the configuration you show and it is still changing my IP address. Does it work correctly for you?
Thanks
Hello,
In my case I followed the steps you indicate to keep the original IP address of the client, but the application gw still keeps changing the original address. Do you have any update on how to make this work correctly?
Thanks