fbpx
Wikipedia

X-Forwarded-For

February 26, 2024

"XFF" redirects here. For the aircraft, see Grumman FF.
For network administrators seeking to reduce collateral damage due to autoblocks on their proxy servers, see XFF project.

The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

The X-Forwarded-For HTTP request header was introduced by the Squid caching proxy server's developers.[citation needed]

X-Forwarded-For is also an email-header indicating that an email-message was forwarded from one or more other accounts (probably automatically).[1]

Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address were available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.

Format edit

The general format of the field is:[2]

X-Forwarded-For: client, proxy1, proxy2

where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request.

Examples:[3]

X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178 X-Forwarded-For: 203.0.113.195 X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348

Because the X-Forwarded-For header is not formally standardized, some variations to the IP address format exist. For example, some implementations[which?] include the port number of clients, or enclose IPv6 addresses in square brackets even without the port number, similar to the format in the newer Forwarded header. Examples: 

X-Forwarded-For: 203.0.113.195:41237, 198.51.100.100:38523 X-Forwarded-For: [2001:db8::1a2b:3c4d]:41237, 198.51.100.100:26321 X-Forwarded-For: [2001:db8::aa:bb]

Usage edit

The X-Forwarded-For header is added or edited by HTTP proxies when forwarding a request. The server appends the address of the client to an existing X-Forwarded-For header separated by a comma, or creates a new X-Forwarded-For header with the client address as the value.

Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The right-most IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario. If the server is behind a trusted reverse proxy and only allows connections from that proxy, the header value can usually be assumed to be trustworthy.

Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log both the request's source IP address and the X-Forwarded-For field information for completeness.

Alternatives and variations edit

RFC 7239 standardized a Forwarded HTTP header with similar purpose but more features compared to the X-Forwarded-For HTTP header.[4] An example of a Forwarded header's syntax: 

Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for="[2001:db8::1234]"

HAProxy defines the PROXY protocol which can communicate the originating client's IP address without using the X-Forwarded-For or Forwarded header.[5] This protocol can be used on multiple transport protocols and does not require inspecting the inner protocol, so it is not limited to HTTP.

See also edit

References edit

  1. ^ . Archived from the original on 2014-09-20. Retrieved 2014-05-05.
  2. ^ "squid : follow_x_forwarded_for configuration directive". Squid-cache.org. Retrieved 12 November 2017.
  3. ^ "X-Forwarded-For". MDN Web Docs. Retrieved 2020-11-06.
  4. ^ Petersson, A; Nilsson, M (June 2014). Forwarded HTTP Extension. IETF. doi:10.17487/RFC7239. RFC 7239. Retrieved February 20, 2020.
  5. ^ Willy Tarreau: The PROXY protocol. haproxy.1wt.eu. Retrieved on 2012-12-24.

External links edit

  • Apache

February 26, 2024
forwarded, redirects, here, aircraft, grumman, network, administrators, seeking, reduce, collateral, damage, autoblocks, their, proxy, servers, project, http, header, field, common, method, identifying, originating, address, client, connecting, server, through. XFF redirects here For the aircraft see Grumman FF For network administrators seeking to reduce collateral damage due to autoblocks on their proxy servers see XFF project The X Forwarded For XFF HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer The X Forwarded For HTTP request header was introduced by the Squid caching proxy server s developers citation needed X Forwarded For is also an email header indicating that an email message was forwarded from one or more other accounts probably automatically 1 Without the use of XFF or another similar technique any connection through the proxy would reveal only the originating IP address of the proxy server effectively turning the proxy server into an anonymizing service thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address were available The usefulness of XFF depends on the proxy server truthfully reporting the original host s IP address for this reason effective use of XFF requires knowledge of which proxies are trustworthy for instance by looking them up in a whitelist of servers whose maintainers can be trusted Contents 1 Format 2 Usage 3 Alternatives and variations 4 See also 5 References 6 External linksFormat editThe general format of the field is 2 X Forwarded For client proxy1 proxy2 where the value is a comma space separated list of IP addresses the left most being the original client and each successive proxy that passed the request adding the IP address where it received the request from In this example the request passed through proxy1 proxy2 and then proxy3 not shown in the header proxy3 appears as remote address of the request Examples 3 X Forwarded For 203 0 113 195 70 41 3 18 150 172 238 178 X Forwarded For 203 0 113 195 X Forwarded For 2001 db8 85a3 8d3 1319 8a2e 370 7348 Because the X Forwarded For header is not formally standardized some variations to the IP address format exist For example some implementations which include the port number of clients or enclose IPv6 addresses in square brackets even without the port number similar to the format in the newer Forwarded header Examples X Forwarded For 203 0 113 195 41237 198 51 100 100 38523 X Forwarded For 2001 db8 1a2b 3c4d 41237 198 51 100 100 26321 X Forwarded For 2001 db8 aa bb Usage editThe X Forwarded For header is added or edited by HTTP proxies when forwarding a request The server appends the address of the client to an existing X Forwarded For header separated by a comma or creates a new X Forwarded For header with the client address as the value Since it is easy to forge an X Forwarded For field the given information should be used with care The right most IP address is always the IP address that connects to the last proxy which means it is the most reliable source of information X Forwarded For data can be used in a forward or reverse proxy scenario If the server is behind a trusted reverse proxy and only allows connections from that proxy the header value can usually be assumed to be trustworthy Just logging the X Forwarded For field is not always enough as the last proxy IP address in a chain is not contained within the X Forwarded For field it is in the actual IP header A web server should log both the request s source IP address and the X Forwarded For field information for completeness Alternatives and variations editRFC 7239 standardized a Forwarded HTTP header with similar purpose but more features compared to the X Forwarded For HTTP header 4 An example of a Forwarded header s syntax Forwarded for 192 0 2 60 proto http by 203 0 113 43 Forwarded for 2001 db8 1234 HAProxy defines the PROXY protocol which can communicate the originating client s IP address without using the X Forwarded For or Forwarded header 5 This protocol can be used on multiple transport protocols and does not require inspecting the inner protocol so it is not limited to HTTP See also editInternet privacy List of proxy software X Originating IP for SMTP equivalent List of HTTP header fieldsReferences edit Overview of parsed mail headers Archived from the original on 2014 09 20 Retrieved 2014 05 05 squid follow x forwarded for configuration directive Squid cache org Retrieved 12 November 2017 X Forwarded For MDN Web Docs Retrieved 2020 11 06 Petersson A Nilsson M June 2014 Forwarded HTTP Extension IETF doi 10 17487 RFC7239 RFC 7239 Retrieved February 20 2020 Willy Tarreau The PROXY protocol haproxy 1wt eu Retrieved on 2012 12 24 External links editApache mod extract forwarded Retrieved from https en wikipedia org w index php title X Forwarded For amp oldid 1182404864, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.