X-Forwarded-For
Encyclopedia
The X-Forwarded-For HTTP header field is a de facto
standard for identifying the originating IP address
of a client connecting to a web server
through an HTTP proxy
or load balancer. This is an HTTP request header which was introduced by the Squid caching proxy server's developers. An effort has been started at IETF for standardizing the Forwarded-For HTTP header.
In this context, the caching servers are most often those of large ISPs who either encourage or force their users to use proxy servers for access to the World Wide Web
, something which is often done to reduce external bandwidth through caching. In some cases, these proxy servers are transparent proxies, and the user may be unaware that they are using them.
Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service
, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address was available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.
where the value is a comma+space separated list of IP addresses, the left-most being the farthest downstream client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed proxy1, proxy2 and proxy3 (proxy3 appears as remote address of the request).
Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The last IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.
In a forward proxy scenario you can track the real client IP address on your network through an internal proxy chain and log that IP address on a gateway device. For security reasons, your gateway device should strip any X-Forwarded-For before sending the request to the Internet. You should be able to trust X-Forwarded-For information in this scenario as it is all generated within your network.
In a reverse proxy scenario you can track the real IP address of a client on the Internet accessing your web server, even if your web server is not routable from the Internet - i.e. it is behind a layer 7 proxy device. You should NOT trust all X-Forwarded-For information in this scenario as you may have received bogus information from the Internet. As such a trust list should be used to make sure that proxy IP addresses in the X-Forwarded-For field are trusted by you.
Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log BOTH the request's source IP address and the X-Forwarded-For field information for completeness.
With Apache it is simply a change to the log file configuration; however, with Microsoft IIS a third-party application is needed.
For IIS7, you can get a free IIS module from IIS.net that will write the X-Forwarded-For value into the IIS log as well.
De facto
De facto is a Latin expression that means "concerning fact." In law, it often means "in practice but not necessarily ordained by law" or "in practice or actuality, but not officially established." It is commonly used in contrast to de jure when referring to matters of law, governance, or...
standard for identifying the originating IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
of a client connecting to a web server
Web server
Web server can refer to either the hardware or the software that helps to deliver content that can be accessed through the Internet....
through an HTTP proxy
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
or load balancer. This is an HTTP request header which was introduced by the Squid caching proxy server's developers. An effort has been started at IETF for standardizing the Forwarded-For HTTP header.
In this context, the caching servers are most often those of large ISPs who either encourage or force their users to use proxy servers for access to the World Wide Web
World Wide Web
The World Wide Web is a system of interlinked hypertext documents accessed via the Internet...
, something which is often done to reduce external bandwidth through caching. In some cases, these proxy servers are transparent proxies, and the user may be unaware that they are using them.
Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service
Anonymous web browsing
Anonymous web browsing is browsing the World Wide Web while hiding the user's IP address and any other personally identifiable information from the websites that one is visiting.-Achieving Anonymity:...
, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address was available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.
Format
The general format of the field is:- X-Forwarded-For: client1, proxy1, proxy2
where the value is a comma+space separated list of IP addresses, the left-most being the farthest downstream client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed proxy1, proxy2 and proxy3 (proxy3 appears as remote address of the request).
Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The last IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.
In a forward proxy scenario you can track the real client IP address on your network through an internal proxy chain and log that IP address on a gateway device. For security reasons, your gateway device should strip any X-Forwarded-For before sending the request to the Internet. You should be able to trust X-Forwarded-For information in this scenario as it is all generated within your network.
In a reverse proxy scenario you can track the real IP address of a client on the Internet accessing your web server, even if your web server is not routable from the Internet - i.e. it is behind a layer 7 proxy device. You should NOT trust all X-Forwarded-For information in this scenario as you may have received bogus information from the Internet. As such a trust list should be used to make sure that proxy IP addresses in the X-Forwarded-For field are trusted by you.
Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log BOTH the request's source IP address and the X-Forwarded-For field information for completeness.
X-Forwarded-For for Web server logs
Most web servers can be configured to record the X-Forwarded-For IP address in the log files.With Apache it is simply a change to the log file configuration; however, with Microsoft IIS a third-party application is needed.
For IIS7, you can get a free IIS module from IIS.net that will write the X-Forwarded-For value into the IIS log as well.
See also
- Internet privacyInternet privacyInternet privacy involves the right or mandate of personal privacy concerning the storing, repurposing, providing to third-parties, and displaying of information pertaining to oneself via the Internet. Privacy can entail both Personally Identifying Information or non-PII information such as a...
- List of proxy software
- X-Originating-IPX-Originating-IPThe X-Originating-IP Email header field is a de facto standard for identifying the originating IP address of a client connecting to a mail server.- Format :The general format of the field is:...
External links
- Apache mod_extract_forwarded
- X-Forwarded-For in TMG2010 Free web filter for TMG2010 to add X-Forwarded-For header in inbound requests