#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Include XForwardedFor IP address in log.nsf / domlog.nsf

Since 9.0.1FP8 there is a notes.ini entry HTTP_LOG_ACCESS_XFORWARDED_FOR to get the ip address of the user when you use a load balancer in front of a Domino server.

After activating you can see the x-forwarded-for IP address in the http log, but you have to change the design in the domlog.nsf (Jesper Kiaer blogged about it http://nevermind.dk/nevermind/blog.nsf/subject/making-x-forwarded-for-log-feature-ibm-domino-fp8-actually-work)

If the user enters an incorrect password the IP address of the load balancer is logged (nHTTP: user@name.xx [xx.xx.xx.xx] authentication failure using internet password), even if the entry HTTP_LOG_ACCESS_XFORWARDED_FOR is set.

Martin Vogel

  • Guest
  • Aug 2 2018
  • Shipped
  • Attach files
  • Guest commented
    20 Jan 06:19am

    Hi Thomas - did this get incorporated into 12.0.1 ?

  • Admin
    Thomas Hampel commented
    10 Aug, 2021 06:28pm

    Properly logging the XFORWARDED_FOR address will be done in Domino 12.0.1

  • Guest commented
    12 Mar, 2021 02:05pm

    As my request was merged into this idea - the XFORWARDED_FOR address should be also used by the bulit in Security Feature, as this feature is useless in a proxy environment.

  • Guest commented
    28 Aug, 2019 10:23am

    Another comment from me ..

    We have customers who need a solution today.
    So I wrote an Extension Manager (EM) which will find the request in the domlog.nsf with a 401 and gets the IP provided via X-Forward-For header.

    The documents in domlog.nsf can even be discarded by the EM before updating (to prevent the domlog.nsf to get full).

    We can start an agent running on the document to pass the information to another service like a fail2ban running on another machine.

    In my current customer project I leveraged the new LS HTTP request class to pass the data directly to a NGINX server which have a custom fail2ban configuration for the errors which are logged.

    Here is the post to my fail2ban blog entry:



    [ Daniel Nashed / http://blog.nashcom.de ]

  • Guest commented
    12 Aug, 2019 06:52am

    Yes please! this should be enhanced. Just logging the IP to the domlog.nsf document isn't completely helpful.
    It would make sense to also allow use the x-forward header for the error message on the console.
    there are integrations like fail2ban and also other applications for intrusion detection.

    Those applications collect log information from plain text log files like console.log but cannot access a NSF file like domlog.nsf

    [ Daniel Nashed / http://blog.nashcom.de ]

  • Guest commented
    3 Aug, 2018 10:58am

    :-)  A working link