One disadvantage of running PeopleSoft behind a load balancer is that it can hide your user’s real IP address. With a load balancer, WebLogic and PeopleSoft log the load balancer’s IP address instead of the client connecting to your system. Load balancers support an HTTP header called X-Forwarded-For
, and will populate that HTTP header with the client’s IP address. We can configure WebLogic to read this header and add that to our HTTP access log.
The
psaccesslog
table tracks logins into PeopleSoft, but a customization is required to change the logged IP address to read fromX-Forwarded-For
. We won’t over that here. Instead, we’ll show a configuration change to capture this information.
X-Forwarded-For
The X-Forwarded-For
HTTP header is designed to pass in the HTTP originating client IP address through the load balancer. Logging a client IP address helps you identify where users are coming from (geo-ip) and can help with auditing access to your system. Since organizations run many different load balancers, we won’t cover how to enable that. Ask your network administrators to enable and populate X-Forwarded-For
and pass it through to your WebLogic servers.
If you want to test the logging without getting a network admin involved, FireFox has a nice add-on, X-Forwarded-For Header that simulates the header for you.
WebLogic Access Log
Out of the box, WebLogic doesn’t capture the X-Forwarded-For HTTP header. To read that header, we can configure the HTTP Access Log to read the header and log it. To do that, we need to enable the Access Log and tell WebLogic what header to look for.
- Open
http://server:port/console
and login. - Go to “Environment > Servers > PIA > Logging > HTTP”.
- Click “Lock & Edit”.
- Select the checkbox for “HTTP access log file enabled”.
- Save the changes.
- Expand the “Advanced” section.
- Change the Format to
Extended
. - Add
cs(X-Forwarded-For)
to the Extended Logging Format Fields. - Set the Log File Buffer to
0
. (This will write entires immediately to the log file.) - Save the changes.
- Click the “Release Configuration” button.
- Restart the web server.
In the PIA_access.log
file, you should see a dash -
or an IP address. If the header is blank, the dash will be populated. Otherwise, WebLogic will log the client’s real IP address.
Here a sample line from the PIA_access.log
file after we enabled X-Forwarded-For
logging:
#Version: 1.0
#Fields: date time cs-method cs-uri sc-status cs-username cs(user-agent) s-ip c-ip time-taken bytes cs(X-Forwarded-For)
#Software: WebLogic
2016-11-23 20:49:16 GET /psc/ps/EMPLOYEE/ELM/c/NUI_FRAMEWORK.PT_LANDINGPAGE.GBL 200 - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0" 0.0.0.0:10020 10.0.1.174 5.484 10907 "10.0.1.222"
The last value, "10.0.1.222"
is the client IP address (my workstation). The c-ip
value (10.0.1.174) is the load balancer IP adress in this scenario.
I’ve have a problem with my Tuxedo Appserver doing a reverse-dns lookup on the ipaddress when inserting into the PSACCESSLOG table in PS. Has anyone found a way to have tux insert the straight IP?
Pingback: #58 – Pagelets and Complaints
I made this change and am able to see Client IP now in PA-ACCESS.LOG. Is there any way to also get the EmplID of the user into this log?
Yes, there is a way to log EMPLID, but it takes a custom
.jar
file. I have this working in our DEV environments but haven’t moved it to PRD yet, so make sure you test it first. The code is in this Gist:https://gist.github.com/iversond/1fe465f7b0ba307d0915aa5de335de90
We log X-Forwarded-For in our login peoplecode, so it’s stored in the database and is tied to an emplid.
Brett, did you write custom PeopleCode signon event to capture that?
Yes we did. We already had all the hooks in place due to our SSO integration, so extending it was pretty simple.
Dan, this was helpful for me on the physical load balancer side to get the client IP to show up in the PIA access log. However, our PeopleSoft admins are concerned the IP address doesn’t appear in the database table psaccesslog. Will that require custom development to get it to appear?
Yes, getting the X-Forwarded-For header value logged to PSACCESSLOG requires a customization.
Does anyone have any customization to share to capture the X-Forwarded-For header value to update the PSACCESSLOG table ?
If you just want to get your client IP into PSACCESSLOG and you’re lucky enough to have an F5 out the front the steps are:
Enable X-Forwarded-For on your F5 virtual server.
Add this iRule…
when HTTP_REQUEST {
HTTP::header insert WL-Proxy-Client-IP [IP::client_addr]
}
In the WebLogic console set PIA -> Configuration -> General -> Advanced -> WebLogic Plug-In Enabled = yes
Restart the web server.
Hope that helps.
David – thanks for posting this! That’s great to know.
David,
We did exactly what you listed for F5 virtual server and WebLogic, somehow client IP address is still not captured in table PSACCESSLOG. Not sure what we missed. Any idea? Please advise. Thanks.
James
David,
Please ignore my previous request. Your example is working for us now after our F5 admin adjusted the iRule.
Thanks for the tip!!
James
Hi James, I’m glad you got it working!
dan
Dan,
Would you share an example of customization for getting the X-Forwarded-For header value logged to PSACCESSLOG?
Thanks,
James
Dan,
Please ignore my previous request. David’s example resolved our issue.
Thanks,
James
Hi Dan,
I have configured Weblogic server with the changes mentioned as above. But what should I do to populate ip address trace under cs(X-Forwarded-For) column. Any help is much appreciated.
If you have a load balancer in front of WebLogic, you can request to have the
clientip
value copied into theX-Forwarded-For
HTTP header.Hi Dan, Thanks for the quick reply. Currently I am trying this in my local. I don’t have any load balancer. How can I request to have my addresses populated. Currently I am getting a – under X-Forwarded-For. Instead of that how can I get my workstation ip address. What changes need to be done.
I am new to this stuff. So can please provide either detailed steps or any documentation if available to make these changes.
We don’t have documentation on the load balancer setup because it’s different for everyone. A google search of your load balancer should tell you how to set up HTTP headers.
If you are doing this locally without the load balancer, then the
clientip
should already be in the right field. If you are testing on your workstation then you can check thePSACCESSLOG
table or your log files and see your current IP address.Currently I am getting a dash (-) under X-Forwarded-For. As per your blog, if the header is blank the dash will be populated right. How should I modify this header so that it will populate my machine address. Thanks in advance.
Hi Dan,
Can you please respond when you have some time. Thanks in advance.
Pingback: #327 – HAProxy and OCI Load Balancer