X-Forwarded-For

For network administrators seeking to reduce collateral damage due to autoblocks on their proxy servers, see XFF project.
"XFF" redirects here. For the aircraft, see Grumman FF.
HTTP
Persistence · Compression · HTTPS
Request methods
OPTIONS · GET · HEAD · POST · PUT · DELETE · TRACE · CONNECT · PATCH
Header fields
Cookie · ETag · Location · Referer
DNT · X-Forwarded-For
Status codes
301 Moved permanently
302 Found
303 See Other
403 Forbidden
404 Not Found
This box:

The X-Forwarded-For (XFF) HTTP header field is a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. This is an HTTP request header which was introduced by the Squid caching proxy server's developers. An effort has been started at IETF for standardizing the Forwarded-For HTTP header.

In this context, the caching servers are most often those of large ISPs who either encourage or force their users to use proxy servers for access to the World Wide Web, something which is often done to reduce external bandwidth through caching. In some cases, these proxy servers are transparent proxies, and the user may be unaware that they are using them.

Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address was available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.

Format

The general format of the field is:

X-Forwarded-For: client1, proxy1, proxy2

where the value is a comma+space separated list of IP addresses, the left-most being the farthest downstream client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed proxy1, proxy2 and proxy3 (proxy3 appears as remote address of the request).

Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The last IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.

In a forward proxy scenario you can track the real client IP address on your network through an internal proxy chain and log that IP address on a gateway device. For security reasons, your gateway device should strip any X-Forwarded-For before sending the request to the Internet. You should be able to trust X-Forwarded-For information in this scenario as it is all generated within your network.

In a reverse proxy scenario you can track the real IP address of a client on the Internet accessing your web server, even if your web server is not routable from the Internet - i.e. it is behind a layer 7 proxy device. You should NOT trust all X-Forwarded-For information in this scenario as you may have received bogus information from the Internet. As such a trust list should be used to make sure that proxy IP addresses in the X-Forwarded-For field are trusted by you.

Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log BOTH the request's source IP address and the X-Forwarded-For field information for completeness.

Proxy servers and caching engines

The X-Forwarded-For field is supported by most proxy servers, including Squid,[1] Apache mod_proxy,[2]Pound,[3] HAProxy,[4][5]Varnish cache,[6]IronPort Web Security Appliance,[7]CAI Networks WebMux, ArrayNetworks, Radware's AppDirector and Alteon ADC, ADC-VX, and ADC-VA, F5 Big-IP,[8] Blue Coat ProxySG,[9]Cisco Cache Engine, McAfee Web Gateway, Phion Airlock, Finjan's Vital Security, NetApp NetCache, jetNEXUS, Crescendo Networks' Maestro.

X-Forwarded-For logging is supported by many web servers including Apache. Microsoft IIS 6.0 & 7.0 can use a third party ISAPI filter to accomplish this task. IIS 7.0 can also use a HTTP Module for this filtering.[10]

Load balancers

Citrix Systems' NetScaler supports user-defined fields such as X-Forwarded-For to insert the client IP address into a client request.[11]

Cisco Ace Load Balancing Modules can also insert this field, usually implemented when the load balancer is configured to perform source NAT, to allow the load balancer to exist in a one-armed configuration, while providing a mechanism that the real servers can use to account for client source IP address. The reference mentions x-forward, however X-Forwarded-For can be substituted.[12]

F5 Networks load balancers support X-Forwarded-For for one-armed and multi-armed configurations.[13]

KEMP Technologies LoadMaster supports X-Forwarded-For for non-transparent load balancing in both one-armed configuration and multi-armed configurations.[14]

Coyote Point Systems Equalizer supports X-Forwarded-For fields for load balancing in both one-armed configuration and multi-armed configurations.[15]

OpenBSD relays can insert and/or alter this field.[16]

Amazon's Elastic Load Balancing service supports this field.

LBL LoadBalancer supports X-Forwarded-For for one-armed and multi-armed configurations.

Radware AppDirector ADC, Alteon ADC, ADC-VX, and ADC-VA support inserting an X-Forwarded-For for header for traffic that is Source NAT towards servers, as well, as being capable of providing persistency of traffic based on the X-Forwarded-For header for distributing traffic from a proxied connection to multiple servers while preserving persistency to servers.

See also

References

  1. ^ SquidFaq/ConfiguringSquid - Squid Web Proxy Wiki
  2. ^ mod_proxy - Apache HTTP Server
  3. ^ HAProxy Configuration Manual
  4. ^ haproxy.1wt.eu
  5. ^ Pound proxy, under "Request Logging"
  6. ^ Varnish FAQ regarding logging
  7. ^ IronPort Web Security Appliances
  8. ^ "Using "X-Forwarded-For" in Apache or PHP". devcentral.f5.com. http://devcentral.f5.com/weblogs/macvittie/archive/2008/06/02/3323.aspx. 
  9. ^ Bluecoat Knowledge Base Article 2996
  10. ^ devcentral.f5.com
  11. ^ Citrix NetScaler Traffic Management Guide - Release 9.1
  12. ^ Cisco ACE with Source NAT and Client IP Header
  13. ^ Using the X-Forwarded-For HTTP header field to preserve the original client IP address for traffic translated by a SNAT
  14. ^ LoadMaster Product Manual
  15. ^ Equalizer User Guide
  16. ^ relayd.conf manual page

External links