Jump to content

X-Forwarded-For

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by DumZiBoT (talk | contribs) at 23:25, 27 March 2008 (Bot: Converting bare references, see FAQ). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

For network administrators seeking to reduce collateral damage due to autoblocks on their proxy servers, please see Wikimedia's XFF project

The X-Forwarded-For (XFF) HTTP header is a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy. In this context, the caching servers are most often those of large ISPs who either encourage or force their users to use proxy servers for access to the World Wide Web, something which is often done to reduce external bandwidth through caching. In some cases, these proxy servers are transparent proxies, and the user may be unaware that they are using them.

Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address was available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.

Format

The general format of the header is:

X-Forwarded-For: client1, proxy1, proxy2

where the value is a comma+space separated list of IP addresses, the left-most being the farthest downstream client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed proxy1, proxy2 and proxy3 (proxy3 appears as remote address of the request).

Since it is easy to forge a X-Forwarded-For header the given information should be used with care. The last IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information (if you trust the last proxy, the remote address of the request).

Software

X-Forwarded-For header is supported by most proxy servers, notably Squid [1], Apache mod_proxy [2], F5 Big-IP, Blue Coat ProxySG, Cisco Cache Engine, Finjan's Vital Security, NetApp NetCache, Crescendo Networks' Maestro, and Microsoft ISA Server 2004/2006 with Winfrasoft X-Forwarded-For for ISA Server.

References

  1. ^ SquidFaq/ConfiguringSquid - Squid Web Proxy Wiki
  2. ^ mod_proxy - Apache HTTP Server

See also

Retrieved from "https://en.wikipedia.org/w/index.php?title=X-Forwarded-For&oldid=201446650"