Load Balancers and Client IP Addresses

One disadvantage of running PeopleSoft behind a load balancer is that it can hide your user’s real IP address. With a load balancer, WebLogic and PeopleSoft log the load balancer’s IP address instead of the client connecting to your system. Load balancers support an HTTP header called X-Forwarded-For, and will populate that HTTP header with the client’s IP address. We can configure WebLogic to read this header and add that to our HTTP access log.

The psaccesslog table tracks logins into PeopleSoft, but a customization is required to change the logged IP address to read from X-Forwarded-For. We won’t over that here. Instead, we’ll show a configuration change to capture this information.

X-Forwarded-For

The X-Forwarded-For HTTP header is designed to pass in the HTTP originating client IP address through the load balancer. Logging a client IP address helps you identify where users are coming from (geo-ip) and can help with auditing access to your system. Since organizations run many different load balancers, we won’t cover how to enable that. Ask your network administrators to enable and populate X-Forwarded-For and pass it through to your WebLogic servers.

If you want to test the logging without getting a network admin involved, FireFox has a nice add-on, X-Forwarded-For Header that simulates the header for you.

WebLogic Access Log

Out of the box, WebLogic doesn’t capture the X-Forwarded-For HTTP header. To read that header, we can configure the HTTP Access Log to read the header and log it. To do that, we need to enable the Access Log and tell WebLogic what header to look for.

EnableXFF

  1. Open http://server:port/console and login.
  2. Go to “Environment > Servers > PIA > Logging > HTTP”.
  3. Click “Lock & Edit”.
  4. Select the checkbox for “HTTP access log file enabled”.
  5. Save the changes.
  6. Expand the “Advanced” section.
  7. Change the Format to Extended.
  8. Add cs(X-Forwarded-For) to the Extended Logging Format Fields.
  9. Set the Log File Buffer to 0. (This will write entires immediately to the log file.)
  10. Save the changes.
  11. Click the “Release Configuration” button.
  12. Restart the web server.

In the PIA_access.log file, you should see a dash - or an IP address. If the header is blank, the dash will be populated. Otherwise, WebLogic will log the client’s real IP address.

Here a sample line from the PIA_access.log file after we enabled X-Forwarded-For logging:

#Version:   1.0
#Fields:    date time cs-method cs-uri sc-status cs-username cs(user-agent) s-ip c-ip time-taken bytes cs(X-Forwarded-For)
#Software:  WebLogic

2016-11-23  20:49:16    GET /psc/ps/EMPLOYEE/ELM/c/NUI_FRAMEWORK.PT_LANDINGPAGE.GBL 200 -   "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0"    0.0.0.0:10020   10.0.1.174  5.484   10907   "10.0.1.222"

The last value, "10.0.1.222" is the client IP address (my workstation). The c-ip value (10.0.1.174) is the load balancer IP adress in this scenario.

26 thoughts on “Load Balancers and Client IP Addresses”

  1. I’ve have a problem with my Tuxedo Appserver doing a reverse-dns lookup on the ipaddress when inserting into the PSACCESSLOG table in PS. Has anyone found a way to have tux insert the straight IP?

  2. Pingback: #58 – Pagelets and Complaints

  3. I made this change and am able to see Client IP now in PA-ACCESS.LOG. Is there any way to also get the EmplID of the user into this log?

  4. Dan, this was helpful for me on the physical load balancer side to get the client IP to show up in the PIA access log. However, our PeopleSoft admins are concerned the IP address doesn’t appear in the database table psaccesslog. Will that require custom development to get it to appear?

      1. Does anyone have any customization to share to capture the X-Forwarded-For header value to update the PSACCESSLOG table ?

        1. If you just want to get your client IP into PSACCESSLOG and you’re lucky enough to have an F5 out the front the steps are:

          Enable X-Forwarded-For on your F5 virtual server.
          Add this iRule…

          when HTTP_REQUEST {
          HTTP::header insert WL-Proxy-Client-IP [IP::client_addr]
          }

          In the WebLogic console set PIA -> Configuration -> General -> Advanced -> WebLogic Plug-In Enabled = yes
          Restart the web server.

          Hope that helps.

          1. David,

            We did exactly what you listed for F5 virtual server and WebLogic, somehow client IP address is still not captured in table PSACCESSLOG. Not sure what we missed. Any idea? Please advise. Thanks.

            James

          2. David,

            Please ignore my previous request. Your example is working for us now after our F5 admin adjusted the iRule.

            Thanks for the tip!!

            James

      2. Dan,

        Would you share an example of customization for getting the X-Forwarded-For header value logged to PSACCESSLOG?

        Thanks,
        James

  5. Hi Dan,
    I have configured Weblogic server with the changes mentioned as above. But what should I do to populate ip address trace under cs(X-Forwarded-For) column. Any help is much appreciated.

    1. If you have a load balancer in front of WebLogic, you can request to have the clientip value copied into the X-Forwarded-For HTTP header.

      1. Hi Dan, Thanks for the quick reply. Currently I am trying this in my local. I don’t have any load balancer. How can I request to have my addresses populated. Currently I am getting a under X-Forwarded-For. Instead of that how can I get my workstation ip address. What changes need to be done.

        1. I am new to this stuff. So can please provide either detailed steps or any documentation if available to make these changes.

          1. We don’t have documentation on the load balancer setup because it’s different for everyone. A google search of your load balancer should tell you how to set up HTTP headers.

        2. If you are doing this locally without the load balancer, then the clientip should already be in the right field. If you are testing on your workstation then you can check the PSACCESSLOG table or your log files and see your current IP address.

          1. Currently I am getting a dash (-) under X-Forwarded-For. As per your blog, if the header is blank the dash will be populated right. How should I modify this header so that it will populate my machine address. Thanks in advance.

  6. Pingback: #327 – HAProxy and OCI Load Balancer

Leave a Reply

Your email address will not be published. Required fields are marked *