by: adminPosted on:

X Forwarded For

X-Forwarded-For – HTTP – MDN Web Docs

The X-Forwarded-For (XFF) header is a de-facto standard
header for identifying the originating IP address of a client connecting to a web server
through an HTTP proxy or a load balancer. When traffic is intercepted between clients
and servers, server access logs contain the IP address of the proxy or load balancer
only. To see the original IP address of the client, the X-Forwarded-For
request header is used.
This header is used for debugging, statistics, and generating location-dependent
content and by design it exposes privacy sensitive information, such as the IP address
of the client. Therefore the user’s privacy must be kept in mind when deploying this
header.
A standardized version of this header is the HTTP Forwarded header.
X-Forwarded-For is also an email-header indicating that an email-message
was forwarded from another account.
Header type
Request header
Forbidden header name
no
SyntaxX-Forwarded-For: , , Directives

The client IP address , If a request goes through multiple proxies, the IP addresses of each successive
proxy is listed. This means, the right-most IP address is the IP address of the most
recent proxy and the left-most IP address is the IP address of the originating client.
ExamplesX-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
X-Forwarded-For: 203. 0. 113. 195
X-Forwarded-For: 203. 195, 70. 41. 3. 18, 150. 172. 238. 178
Other non-standard forms:
# Used for some Google services
X-ProxyUser-Ip: 203. 19
Specifications
Not part of any current specification. The standardized version of this header is
Forwarded.
Browser compatibilityBCD tables only load in the browserSee also
Forwarded
X-Forwarded-Host
X-Forwarded-Proto
Via
X-Forwarded-For - Wikipedia

X-Forwarded-For – Wikipedia

“XFF” redirects here. For the aircraft, see Grumman FF.
For network administrators seeking to reduce collateral damage due to autoblocks on their proxy servers, see XFF project.
The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
The X-Forwarded-For HTTP request header was introduced by the Squid caching proxy server’s developers. [citation needed]
X-Forwarded-For is also an email-header indicating that an email-message was forwarded from one or more other accounts (probably automatically). [1]
In this context, the caching servers are most often those of large ISPs who either encourage or force their users to use proxy servers for access to the World Wide Web, something which is often done to reduce external bandwidth through caching. In some cases, these proxy servers are transparent proxies, and the user may be unaware that they are using them.
Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address were available. The usefulness of XFF depends on the proxy server truthfully reporting the original host’s IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.
Format[edit]
The general format of the field is:[2]
X-Forwarded-For: client, proxy1, proxy2
where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request.
Examples:[3]
X-Forwarded-For: 203. 0. 113. 195, 70. 41. 3. 18, 150. 172. 238. 178
X-Forwarded-For: 203. 195
X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The right-most IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.
Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log BOTH the request’s source IP address and the X-Forwarded-For field information for completeness.
Proxy servers and caching engines[edit]
The X-Forwarded-For field is supported by most proxy servers, including A10 Networks, aiScaler, [4]
Squid, [5]
Apache mod_proxy, [6]
Pound, [7]
HAProxy, [8][9]
Varnish, [10]
IronPort Web Security Appliance, [11]
AVANU WebMux,
Array Networks,
Radware’s AppDirector, Alteon ADC, ADC-VX, and ADC-VA,
F5 Big-IP, [12]
Blue Coat ProxySG, [13]
Cisco Cache Engine,
McAfee Web Gateway,
Phion Airlock,
Finjan’s Vital Security,
NetApp NetCache,
jetNEXUS,
Crescendo Networks’ Maestro,
Web Adjuster,
Websense Web Security Gateway, [14]
Microsoft Forefront Threat Management Gateway 2010 (TMG)[15]
and
NGINX. [16]
X-Forwarded-For logging is supported by many web servers including Apache. IIS can also use a HTTP Module for this filtering. [17][18][19]
Zscaler will mask an X-Forwarded-For header with Z-Forwarded-For, before adding its own X-Forwarded-For header identifying the originating customer IP address. This prevents internal IP addresses leaking out of Zscaler Enforcement Nodes, and provides third party content providers with the true IP address of the customer. This results in a non-RFC compliant HTTP request.
Load balancers[edit]
Array Networks ADC series Support X-Forwarded-For in one arm or two arm mode deployment. Normally required when the solution is deployed in Reverse Proxy mod.
AVANU WebMux Network Traffic Manager, an application delivery network load balancing solution inserts the X-Forwarded-For header by default in One-Armed Single Network Mode and is available as a farm option in Two-Armed NAT, Two-Armed Transparent, and One-Armed Direct Server Return Modes. [20]
Barracuda Load Balancer from Barracuda Networks supports user-defined headers such as X-Forwarded-For to insert the client IP address into a client request. [21]
Citrix Systems’ NetScaler supports user-defined fields such as X-Forwarded-For to insert the client IP address into a client request. [22]
Cisco ACE Load Balancing Modules can also insert this field, usually implemented when the load balancer is configured to perform source NAT, to allow the load balancer to exist in a one-armed configuration, while providing a mechanism that the real servers can use to account for client source IP address. The reference mentions x-forward, however X-Forwarded-For can be substituted. [23]
F5 Networks load balancers support X-Forwarded-For for one-armed and multi-armed configurations. [24] Big-IP may also be configured to delegate trust to proxies more than one hop away, and accept custom X-Forwarded-For headers from other sources. [25]
LineRate virtual load balancers support X-Forwarded-For via command line drive configurations, or via scripts. [26]
KEMP Technologies LoadMaster supports X-Forwarded-For for non-transparent load balancing in both one-armed configuration and multi-armed configurations. [27]
Coyote Point Systems Equalizer supports X-Forwarded-For fields for load balancing in both one-armed configuration and multi-armed configurations. [28]
OpenBSD relays can insert and/or alter this field. [29]
Amazon’s Elastic Load Balancing service supports this field.
LBL LoadBalancer supports X-Forwarded-For for one-armed and multi-armed configurations.
Radware AppDirector ADC, Alteon ADC, ADC-VX, and ADC-VA support inserting an X-Forwarded-For for header for traffic that is Source NAT towards servers, as well, as being capable of providing persistency of traffic based on the X-Forwarded-For header for distributing traffic from a proxied connection to multiple servers while preserving persistency to servers.
Enterprise load balancers support X-Forwarded-For load balancing by default [30]
Alternatives and variations[edit]
RFC 7239 standardized a Forwarded HTTP header with similar purpose but more features compared to the X-Forwarded-For HTTP header. [31] An example of a Forwarded header’s syntax:
Forwarded: for=192. 2. 60;proto=;by=203. 43
HAProxy defines the PROXY protocol which can communicate the originating client’s IP address without using the X-Forwarded-For or Forwarded header. [32] This protocol can be used on multiple transport protocols and does not require inspecting the inner protocol, so it is not limited to HTTP.
See also[edit]
Internet privacy
List of proxy software
X-Originating-IP for SMTP equivalent
List of HTTP header fields
References[edit]
^ “{title}”. Archived from the original on 2014-09-20. Retrieved 2014-05-05.
^ “squid: follow_x_forwarded_for configuration directive”. Retrieved 12 November 2017.
^ “X-Forwarded-For”. MDN Web Docs. Retrieved 2020-11-06.
^ “Admin Guide Page 152” (PDF). Retrieved 12 November 2017.
^ SquidFaq/ConfiguringSquid – Squid Web Proxy Wiki. (2012-02-06). Retrieved on 2012-12-24.
^ mod_proxy – Apache HTTP Server. Retrieved on 2012-12-24.
^ Pound proxy Archived 2015-06-07 at the Wayback Machine, under “Request Logging”
^ HAProxy Configuration Manual. Retrieved on 2012-12-24.
^ Retrieved on 2012-12-24.
^ Varnish FAQ Archived March 29, 2008, at the Wayback Machine regarding logging
^ IronPort Web Security Appliances. (2012-11-26). Retrieved on 2012-12-24.
^ “Using “X-Forwarded-For” in Apache or PHP”.
^ Bluecoat Knowledge Base Article 000010319 Archived 2015-02-15 at the Wayback Machine. (2009-06-29). Retrieved on 2014-03-06.
^ “Using “X-Forwarded-For” in Websense WSG”. Retrieved 12 November 2017.
^ “Winfrasoft – X-Forwarded-For – for TMG, ISA Server and IIS”. Retrieved 12 November 2017.
^ “NGINX Reverse Proxy – NGINX”. Retrieved 12 November 2017.
^ Winfrasoft XFF for IIS.
^ IIS Advanced Logging. (2009-08-10). Retrieved on 2013-06-05.
^ X-Forwarded-For HTTP Module For IIS7, Source Included! by Joe Pruitt (2013-07-05).
^ “WebMux Technical Resources – Application Delivery Network Load Balancing”. Retrieved 12 November 2017.
^ Inc, Barracuda Networks. “Layer 7 HTTP(S) Services”. Barracuda Campus. Retrieved 12 November 2017.
^ Citrix NetScaler Traffic Management Guide – Release 9. 1… Retrieved on 2012-12-24.
^ Cisco ACE with Source NAT and Client IP Header. Retrieved on 2012-12-24.
^ Using the X-Forwarded-For HTTP header field to preserve the original client IP address for traffic translated by a SNAT. (2012-09-26). Retrieved on 2012-12-24.
^ Overview of the Trusted X-Forwarded-For header. Retrieved on 2012-12-24.
^ Inserting X-Forwarded-For header with LineRate (12/29/2014) Retrieved on 2015-10-05.
^ LoadMaster Product Manual. Retrieved on 2012-12-24.
^ Equalizer User Guide. Retrieved on 2012-12-24.
^ manual page. (2017-11-29). Retrieved on 2018-02-04.
^ Retrieved on 2017-12-15.
^
^ Willy Tarreau: The PROXY protocol. Retrieved on 2012-12-24.
External links[edit]
Apache mod_extract_forwarded
X-Forwarded-For - HTTP - MDN Web Docs

X-Forwarded-For – HTTP – MDN Web Docs

The X-Forwarded-For (XFF) header is a de-facto standard
header for identifying the originating IP address of a client connecting to a web server
through an HTTP proxy or a load balancer. When traffic is intercepted between clients
and servers, server access logs contain the IP address of the proxy or load balancer
only. To see the original IP address of the client, the X-Forwarded-For
request header is used.
This header is used for debugging, statistics, and generating location-dependent
content and by design it exposes privacy sensitive information, such as the IP address
of the client. Therefore the user’s privacy must be kept in mind when deploying this
header.
A standardized version of this header is the HTTP Forwarded header.
X-Forwarded-For is also an email-header indicating that an email-message
was forwarded from another account.
Header type
Request header
Forbidden header name
no
SyntaxX-Forwarded-For: , , Directives

The client IP address , If a request goes through multiple proxies, the IP addresses of each successive
proxy is listed. This means, the right-most IP address is the IP address of the most
recent proxy and the left-most IP address is the IP address of the originating client.
ExamplesX-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
X-Forwarded-For: 203. 0. 113. 195
X-Forwarded-For: 203. 195, 70. 41. 3. 18, 150. 172. 238. 178
Other non-standard forms:
# Used for some Google services
X-ProxyUser-Ip: 203. 19
Specifications
Not part of any current specification. The standardized version of this header is
Forwarded.
Browser compatibilityBCD tables only load in the browserSee also
Forwarded
X-Forwarded-Host
X-Forwarded-Proto
Via

Frequently Asked Questions about x forwarded for

What is X-Forwarded-For used for?

To see the original IP address of the client, the X-Forwarded-For request header is used. This header is used for debugging, statistics, and generating location-dependent content and by design it exposes privacy sensitive information, such as the IP address of the client.Aug 13, 2021

Is X-Forwarded-For reliable?

Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The right-most IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.

What is my IP X-Forwarded-For?

X-Forwarded-For is the custom HTTP header that carries along the original IP address of a client so the app at the other end knows what it is. Otherwise it would only see the proxy IP address, and that makes some apps angry.Dec 7, 2017

Leave a Reply

Your email address will not be published. Required fields are marked *