X-Forwarded-For
   HOME

TheInfoList



Click Here for Items Related To - X-Forwarded-For
OR:
X-Forwarded-For on:   [Wikipedia]   [Google]   [Amazon]

The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating
IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
of a client connecting to a
web server A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...
through an
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
proxy Proxy may refer to: * Proxy or agent (law), a substitute authorized to act for another entity or a document which authorizes the agent so to act * Proxy (climate), a measured variable used to infer the value of a variable of interest in climate ...
or
load balancer In computing, load balancing is the process of distributing a set of tasks over a set of resources (computing units), with the aim of making their overall processing more efficient. Load balancing can optimize the response time and avoid unevenl ...
. The X-Forwarded-For HTTP request header was introduced by the
Squid True squid are molluscs with an elongated soft body, large eyes, eight arms, and two tentacles in the superorder Decapodiformes, though many other molluscs within the broader Neocoleoidea are also called squid despite not strictly fitting t ...
caching proxy server's developers. X-Forwarded-For is also an email-header indicating that an email-message was forwarded from one or more other accounts (probably automatically). Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address were available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.


Format

The general format of the field is: X-Forwarded-For: client, proxy1, proxy2 where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request. Examples: 
X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178
X-Forwarded-For: 203.0.113.195
X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The right-most IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario. Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log BOTH the request's source IP address and the X-Forwarded-For field information for completeness.


Proxy servers and caching engines

The X-Forwarded-For field is supported by most proxy servers. X-Forwarded-For logging is supported by many web servers including Apache. IIS can also use a HTTP Module for this filtering. Zscaler will mask an X-Forwarded-For header with Z-Forwarded-For, before adding its own X-Forwarded-For header identifying the originating customer IP address. This prevents internal IP addresses leaking out of Zscaler Enforcement Nodes, and provides third party content providers with the true IP address of the customer. This results in a non-RFC compliant HTTP request.


Alternatives and variations

standardized a Forwarded HTTP header with similar purpose but more features compared to the X-Forwarded-For HTTP header. An example of a Forwarded header's syntax: Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
HAProxy HAProxy is a free and open source software that provides a high availability load balancer and reverse proxy for TCP and HTTP-based applications that spreads requests across multiple servers. It is written in C and has a reputation for being fa ...
defines the PROXY protocol which can communicate the originating client's IP address without using the X-Forwarded-For or Forwarded header.Willy Tarreau: The PROXY protocol
haproxy.1wt.eu. Retrieved on 2012-12-24. This protocol can be used on multiple transport protocols and does not require inspecting the inner protocol, so it is not limited to HTTP.


See also

*
Internet privacy Internet privacy involves the right or mandate of personal privacy concerning the storing, re-purposing, provision to third parties, and displaying of information pertaining to oneself via Internet. Internet privacy is a subset of data privacy. Pr ...
* List of proxy software *
X-Originating-IP The X-Originating-IP (not to be confused with X-Forwarded-For) email header field is a de facto standard for identifying the originating IP address of a client connecting to a mail service's HTTP frontend. When clients connect directly to a mail s ...
for
SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typical ...
equivalent *
List of HTTP header fields A ''list'' is any set of items in a row. List or lists may also refer to: People * List (surname) Organizations * List College, an undergraduate division of the Jewish Theological Seminary of America * SC Germania List, German rugby union ...


References

{{reflist, 30em


External links

* Apach
mod_extract_forwarded
Anonymity Hypertext Transfer Protocol headers