Talk:X-Forwarded-For

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Internet (Rated C-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
 

Variations[edit]

What's the difference [between X-Forwarded-For and Client-IP]? —Preceding unsigned comment added by 58.136.73.164 (talk) 02:40, November 3, 2006 (UTC)

It would be nice to list the various permutations and the vendors that use them. I've got some code I've been using some variety of for about 10 years that collects eight headers beyond the remote IP:

  • Client-IP
  • Coming-From
  • Forwarded-For
  • Forwarded
  • X-Coming-From
  • X-Forwarded-For
  • X-Forwarded
  • and Via, which just names the proxy server platform

I found these so long ago that I'm sure many of them are extinct in the wild, and I didn't record the sources when I originally collected them anyway. — Brianary (talk) 17:02, 20 October 2008 (UTC)

According to HAProxy, Zeus Web Servers require X-Cluster-Client-IP.
216.94.210.146 (talk) 14:18, 2 October 2009 (UTC)

Proxy3?[edit]

The "Format" section of this article current says the following:

The general format of the header is:
X-Forwarded-For: client1, proxy1, proxy2
where the value is a comma+space separated list of IP addresses, the left-most being the farthest downstream client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed proxy1, proxy2, and proxy3 (proxy3 appears as the client).

But there is no "proxy3" in the example. The numbering implies that the example should read:

X-Forwarded-For: client1, proxy1, proxy2, proxy3

but then the text would seem to be saying that XFF would report the client IP at both the front and back of the chain, which makes no sense. Is this suppose to be saying "proxy3 being the IP that appears to be the client" to some component in this situation, like the end-user application or some network report? If so, the prose should say this, and the example should include the "proxy3". As it is, it makes no sense to someone not versed in XFF, who is the intended audience of the article. (Why would someone who knows XFF need the information?) I'd fix this myself, but I don't know whether this is a technical error or actual confusion of the editors. ~ Jeff Q (talk) 01:06, 25 October 2007 (UTC)


Jeffq: You are right. I had to read this page to interpret what was being said. Re-wording would probably be nice. —Preceding unsigned comment added by 70.235.23.97 (talk) 06:20, 23 December 2007 (UTC)

I did some clarifications to the article text and a note about security considerations, hope you like it. - 83.254.215.235 (talk) 09:45, 19 March 2008 (UTC)

Why provide it?[edit]

The article doesn't seem to say why proxies would want to add this header on to the request. I think one reason is that, since servers often block abusive users by IP address, by providing an accurate X-Forwarded-For header the proxy administrator can reduce the chance that legitimate users on the same proxy are blocked along with the abusive proxy users. --Thenickdude (talk) 06:01, 8 September 2009 (UTC)

For provy administrators, it's important to allow sites to accurately report abuse. When abusers use a proxy, this header allows them to be identified accurately by the remote site (with the help of the proxy administrator). Since anyone can set this header on their HTTP requests it should never be assumed to be accurate unless if you can trust the proxy (often the case when the proxy is a local load-balancer or reverse-proxy).
This header is also widely used with load-balancers and reverse proxies to allow passing the remote user's IP address to the web servers behind them for geo-targeting or blocking abusers by their IP Address
216.94.210.146 (talk) 14:28, 2 October 2009 (UTC)

[edit]

In the Proxy servers and caching engines section, there is an advertisement for a specific product for IIS to log IPs from X-Forwarded-For headers. There are other alternatives and there is no reason this specific product be listed here. I will remove it.

For example there is this one which is community-supported and free: http://devcentral.f5.com/downloads/codeshare/F5XForwardedFor.zip

216.94.210.146 (talk) 14:40, 2 October 2009 (UTC)

HTTP_X_FORWARDED_FOR[edit]

HTTP_X_FORWARDED_FOR seems to be a common incarnation of this, but I can't seem to find any origins. It would be interesting to see which proxies use this over "X-FORWARDED-FOR" as documented in this article. --Hm2k (talk) 08:17, 26 April 2011 (UTC)

HTTP_X_FORWARDED_FOR is what CGI and related interfaces rename the X-Forwarded-For header to the CGI environment. BCoates (talk) 22:07, 26 September 2011 (UTC)