I'm running a service behind IIS using ARR as a reverse proxy. I know there are x-forwarded-for and x-arr-log-id headers that are passed along. However, what I would like is a private key passed in so that the backing application explicitly knows that the request is not local (even though the ARR server is). I've seen some posts on adding/replacing server variables, but this doesn't seem to come through via the request headers on the backing application.

I'm guessing that there must be some web.config setting that will do this, but have had no luck finding it thus far.

Example: X-PRIVATE-TOKEN: We are the children of Korn!

So that I can trust the x-forwarded-for address is the actual address, as opposed to simply distrusting all proxy request's ip address references.

try:

<rule name="myRule_01">
  ...
  <serverVariables>
    <set name="HTTP_X_PRIVATE_TOKEN" value="We are the children of Korn!" />
  </serverVariables>
  ...
</rule>

The header field of the http request will be: x-private-token

The answer, courtesy of IIS.net , would appear to be that this is part of the related URL Rewrite Module:

The request headers are set by using the same mechanism as for server variables, but with a special naming convention. If a server variable name in the collection starts with "HTTP_" then this results in an HTTP request header being set in accordance to the following naming convention:

All underscore ("_") symbols in the name are converted to dash symbols ("-"). All letters are converted to lower case. "HTTP_" prefix is removed For example the following configuration is used to sets the custom x-original-host header on the request:

<set name="HTTP_X_ORIGINAL_HOST" value="{HTTP_HOST}" />