X-Forwarded-For

The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

HTTP
Request methods
Header fields
Response status codes
  • 301 Moved Permanently
  • 302 Found
  • 303 See Other
  • 403 Forbidden
  • 404 Not Found
  • 451 Unavailable for Legal Reasons
Security access control methods
  • Basic access authentication
  • Digest access authentication
Security vulnerabilities
  • HTTP header injection
  • HTTP request smuggling
  • HTTP response splitting
  • HTTP parameter pollution

The X-Forwarded-For HTTP request header was introduced by the Squid caching proxy server's developers.

X-Forwarded-For is also an email-header indicating that an email-message was forwarded from one or more other accounts (probably automatically).[1]

Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address were available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.

Format

The general format of the field is:[2]

X-Forwarded-For: client, proxy1, proxy2

where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request.

Examples:[3]

X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178
X-Forwarded-For: 203.0.113.195
X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348

Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The right-most IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.

Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log BOTH the request's source IP address and the X-Forwarded-For field information for completeness.

Proxy servers and caching engines

The X-Forwarded-For field is supported by most proxy servers.

X-Forwarded-For logging is supported by many web servers including Apache. IIS can also use a HTTP Module for this filtering.[4][5][6]

Zscaler will mask an X-Forwarded-For header with Z-Forwarded-For, before adding its own X-Forwarded-For header identifying the originating customer IP address. This prevents internal IP addresses leaking out of Zscaler Enforcement Nodes, and provides third party content providers with the true IP address of the customer. This results in a non-RFC compliant HTTP request.

Alternatives and variations

RFC 7239 standardized a Forwarded HTTP header with similar purpose but more features compared to the X-Forwarded-For HTTP header.[7] An example of a Forwarded header's syntax:

Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43

HAProxy defines the PROXY protocol which can communicate the originating client's IP address without using the X-Forwarded-For or Forwarded header.[8] This protocol can be used on multiple transport protocols and does not require inspecting the inner protocol, so it is not limited to HTTP.

See also

References
  1. "{title}". Archived from the original on 2014-09-20. Retrieved 2014-05-05.
  2. "squid : follow_x_forwarded_for configuration directive". Squid-cache.org. Retrieved 12 November 2017.
  3. "X-Forwarded-For". MDN Web Docs. Retrieved 2020-11-06.
  4. Winfrasoft XFF for IIS. Winfrasoft.com
  5. IIS Advanced Logging. Iis.net (2009-08-10). Retrieved on 2013-06-05.
  6. X-Forwarded-For HTTP Module For IIS7, Source Included! by Joe Pruitt Archived 2012-01-06 at the Wayback Machine Devcentral.f5.com. (2013-07-05).
  7. Petersson, A; Nilsson, M (June 2014). Forwarded HTTP Extension. IETF. doi:10.17487/RFC7239. RFC 7239. Retrieved February 20, 2020.
  8. Willy Tarreau: The PROXY protocol. haproxy.1wt.eu. Retrieved on 2012-12-24.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.