The X-Forwarded-For (XFF) HTTP header field is a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. This is an HTTP request header which was introduced by the Squid caching proxy server's developers. A standard has been proposed at the Internet Engineering Task Force (IETF) for standardizing the Forwarded HTTP header.
In this context, the caching servers are most often those of large ISPs who either encourage or force their users to use proxy servers for access to the World Wide Web, something which is often done to reduce external bandwidth through caching. In some cases, these proxy servers are transparent proxies, and the user may be unaware that they are using them.
Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address was available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.
The general format of the field is:
- X-Forwarded-For: client, proxy1, proxy2
where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request.
Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The last IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.
Just logging the X-Forwarded-For field is not always enough as the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header. A web server should log BOTH the request's source IP address and the X-Forwarded-For field information for completeness.
Proxy servers and caching engines
The X-Forwarded-For field is supported by most proxy servers, including Squid, Apache mod_proxy, Pound, HAProxy, Varnish cache, IronPort Web Security Appliance, AVANU WebMux, Array Networks, Radware's AppDirector and Alteon ADC, ADC-VX, and ADC-VA, F5 Big-IP, Blue Coat ProxySG, Cisco Cache Engine, McAfee Web Gateway, Phion Airlock, Finjan's Vital Security, NetApp NetCache, jetNEXUS, Crescendo Networks' Maestro, Web Adjuster, Websense Web Security Gateway and Microsoft Forefront Threat Management Gateway 2010 (TMG).
Zscaler will mask an X-Forwarded-For header with Z-Forwarded-For, before adding its own X-Forwarded-For header identifying the originating customer IP address. This prevents internal IP addresses leaking out of Zscaler Enforcement Nodes, and provides third party content providers with the true IP address of the customer.
Cisco ACE Load Balancing Modules can also insert this field, usually implemented when the load balancer is configured to perform source NAT, to allow the load balancer to exist in a one-armed configuration, while providing a mechanism that the real servers can use to account for client source IP address. The reference mentions x-forward, however X-Forwarded-For can be substituted.
F5 Networks load balancers support X-Forwarded-For for one-armed and multi-armed configurations. Big-IP may also be configured to delegate trust to proxies more than one hop away, and accept custom X-Forwarded-For headers from other sources.
Amazon's Elastic Load Balancing service supports this field.
LBL LoadBalancer supports X-Forwarded-For for one-armed and multi-armed configurations.
Radware AppDirector ADC, Alteon ADC, ADC-VX, and ADC-VA support inserting an X-Forwarded-For for header for traffic that is Source NAT towards servers, as well, as being capable of providing persistency of traffic based on the X-Forwarded-For header for distributing traffic from a proxied connection to multiple servers while preserving persistency to servers.
Alternatives and Variations
HAProxy introduced an alternative to XFF, the more efficient to parse wrapper PROXY protocol. It can be used on multiple transport protocols and does not require inspecting the inner protocol, so it is not limited to HTTP.
- Forwarded HTTP Extension - Proposed Standard. Tools.ietf.org (2014-06-06). Retrieved on 2014-06-30.
- SquidFaq/ConfiguringSquid – Squid Web Proxy Wiki. Wiki.squid-cache.org (2012-02-06). Retrieved on 2012-12-24.
- mod_proxy – Apache HTTP Server. Httpd.apache.org. Retrieved on 2012-12-24.
- HAProxy Configuration Manual. haproxy.1wt.eu. Retrieved on 2012-12-24.
- haproxy.1wt.eu. haproxy.1wt.eu. Retrieved on 2012-12-24.
- Pound proxy, under "Request Logging"
- Varnish FAQ regarding logging
- IronPort Web Security Appliances. Ironport.com (2012-11-26). Retrieved on 2012-12-24.
- "Using "X-Forwarded-For" in Apache or PHP". devcentral.f5.com.
- Bluecoat Knowledge Base Article 000010319. Kb.bluecoat.com (2009-06-29). Retrieved on 2014-03-06.
- "Using "X-Forwarded-For" in Websense WSG". www.websense.com.
- Winfrasoft XFF for TMG. www.winfrasoft.com
- Winfrasoft XFF for IIS. www.winfrasoft.com
- IIS Advanced Logging. www.iis.net (2009-08-10). Retrieved on 2013-06-05.
- X-Forwarded-For HTTP Module For IIS7, Source Included! by Joe Pruitt devcentral.f5.com. (2013-07-05).
- Barracuda Load Balancer - Administrator Guide - Release 4.2. Barracudanetworks.com Retrieved on 2012-12-26.
- Citrix NetScaler Traffic Management Guide – Release 9.1. Support.citrix.com. Retrieved on 2012-12-24.
- Cisco ACE with Source NAT and Client IP Header. Cisco.com. Retrieved on 2012-12-24.
- Using the X-Forwarded-For HTTP header field to preserve the original client IP address for traffic translated by a SNAT. Support.f5.com (2012-09-26). Retrieved on 2012-12-24.
- Overview of the Trusted X-Forwarded-For header. Support.f5.com (2012-09-26). Retrieved on 2012-12-24.
- LoadMaster Product Manual. Kemptechnologies.com. Retrieved on 2012-12-24.
- Equalizer User Guide. Coyotepoint.com. Retrieved on 2012-12-24.
- relayd.conf manual page. Openbsd.org (2012-11-29). Retrieved on 2012-12-24.
- Willy Tarreau: The PROXY protocol. haproxy.1wt.eu. Retrieved on 2012-12-24.