X-Forwarded-For

Last updated July 16, 2023

The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address were available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.

Format

The general format of the field is:^[2]

X-Forwarded-For: client, proxy1, proxy2

where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request.

Examples:^[3]

X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178 X-Forwarded-For: 203.0.113.195 X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348

Because the X-Forwarded-For header is not formally standardized, some variations to the IP address format exist. For example, some implementations^{[ which? ]} include the port number of clients, or enclose IPv6 addresses in square brackets even without the port number, similar to the format in the newer Forwarded header. Examples:

X-Forwarded-For: 203.0.113.195:41237, 198.51.100.100:38523 X-Forwarded-For: [2001:db8::1a2b:3c4d]:41237, 198.51.100.100:26321 X-Forwarded-For: [2001:db8::aa:bb]

Usage

The X-Forwarded-For header is added or edited by HTTP proxies when forwarding a request. The server appends the address of the client to an existing X-Forwarded-For header separated by a comma, or creates a new X-Forwarded-For header with the client address as the value.

Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The right-most IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario. If the server is behind a trusted reverse proxy and only allows connections from that proxy, the header value can usually be assumed to be trustworthy.

Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log both the request's source IP address and the X-Forwarded-For field information for completeness.

Alternatives and variations

RFC 7239 standardized a Forwarded HTTP header with similar purpose but more features compared to the X-Forwarded-For HTTP header.^[4] An example of a Forwarded header's syntax:

Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for="[2001:db8::1234]"

HAProxy defines the PROXY protocol which can communicate the originating client's IP address without using the X-Forwarded-For or Forwarded header.^[5] This protocol can be used on multiple transport protocols and does not require inspecting the inner protocol, so it is not limited to HTTP.

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, where hypertext documents include hyperlinks to other resources that the user can easily access, for example by a mouse click or by tapping the screen in a web browser.

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE).

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. Telnet consists of two components: (1) the protocol itself which specifies how two parties are to communicate and (2) the software application that provides the service. User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data connection over the Transmission Control Protocol (TCP). Telnet was developed in 1969 beginning with RFC 15, extended in RFC 855, and standardized as Internet Engineering Task Force (IETF) Internet Standard STD 8, one of the first Internet standards. Telnet transmits all information including usernames and passwords in plaintext so it is not recommended for security-sensitive applications such as remote management of routers. Telnet's use for this purpose has waned significantly in favor of SSH. Some extensions to Telnet which would provide encryption have been proposed.

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

<span class="mw-page-title-main">Squid (software)</span> Caching and forwarding HTTP web proxy

Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching World Wide Web (WWW), Domain Name System (DNS), and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic. Although used for mainly HTTP and File Transfer Protocol (FTP), Squid includes limited support for several other protocols including Internet Gopher, Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Hypertext Transfer Protocol Secure (HTTPS). Squid does not support the SOCKS protocol, unlike Privoxy, with which Squid can be used in order to provide SOCKS support.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

Diameter is an authentication, authorization, and accounting protocol for computer networks. It evolved from the earlier RADIUS protocol. It belongs to the application layer protocols in the internet protocol suite.

In computer networks, a reverse proxy is an application that sits in front of back-end applications and forwards client requests to those applications. Reverse proxies help increase scalability, performance, resilience and security. The resources returned to the client appear as if they originated from the web server itself.

HTTP compression is a capability that can be built into web servers and web clients to improve transfer speed and bandwidth utilization.

In computer networking, a port or port number is a number assigned to uniquely identify a connection endpoint and to direct data to a specific service. At the software level, within an operating system, a port is a logical construct that identifies a specific process or a type of network service. A port at the software level is identified for each transport protocol and address combination by the port number assigned to it. The most common transport protocols that use port numbers are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP); those port numbers are 16-bit unsigned numbers.

HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it.

Constrained Application Protocol (CoAP) is a specialized Internet application protocol for constrained devices, as defined in RFC 7252. It enables those constrained devices called "nodes" to communicate with the wider Internet using similar protocols. CoAP is designed for use between devices on the same constrained network, between devices and general nodes on the Internet, and between devices on different constrained networks both joined by an internet. CoAP is also being used via other mechanisms, such as SMS on mobile communication networks.

The Session Initiation Protocol (SIP) is the signaling protocol selected by the 3rd Generation Partnership Project (3GPP) to create and control multimedia sessions with two or more participants in the IP Multimedia Subsystem (IMS), and therefore is a key element in the IMS framework.

References

↑ "Overview of parsed mail headers". Archived from the original on 2014-09-20. Retrieved 2014-05-05.
↑ "squid : follow_x_forwarded_for configuration directive". Squid-cache.org. Retrieved 12 November 2017.
↑ "X-Forwarded-For". MDN Web Docs. Retrieved 2020-11-06.
↑ Petersson, A; Nilsson, M (June 2014). Forwarded HTTP Extension. IETF. doi: 10.17487/RFC7239 . RFC 7239 . Retrieved February 20, 2020.
↑ Willy Tarreau: The PROXY protocol. haproxy.1wt.eu. Retrieved on 2012-12-24.

External links

Apache mod_extract_forwarded

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Overview of parsed mail headers". Archived from the original on 2014-09-20. Retrieved 2014-05-05.

[2] "squid : follow_x_forwarded_for configuration directive". Squid-cache.org. Retrieved 12 November 2017.

[3] "X-Forwarded-For". MDN Web Docs. Retrieved 2020-11-06.

[RFC_7239-4] Petersson, A; Nilsson, M (June 2014). Forwarded HTTP Extension. IETF. doi: 10.17487/RFC7239 . RFC 7239 . Retrieved February 20, 2020.

[5] Willy Tarreau: The PROXY protocol. haproxy.1wt.eu. Retrieved on 2012-12-24.

[1]

[2]

[3]

[4]

[5]