Directives
The <client> directive provides the IP address of the client making the request, which helps identify the source of the incoming connection.
Requestly is a web proxy that requires a desktop and desktop browser.
Enter your email below to receive the download link. Give it a try next time youâre on your PC!
HTTP Headers
The HTTP X-Forwarded-For
(XFF) request header is a widely adopted standard for identifying the original IP address of a client connecting to a web server via a proxy server.
A more standardized version of this header is the HTTP Forwarded
header, though it is used less frequently.
Note: Improper use of this header can pose security risks. For detailed information, refer to the Security and Privacy Concerns section.
The Header type is a Request header.
The Forbidden request header status is No.
X-Forwarded-For: <client>, <proxy>
X-Forwarded-For: <client>, <proxy>, …, <proxyN>
For example, an IPv6 client IP in the first header, an IPv4 client IP in the second header, and an IPv4 client IP along with an IPv6 proxy IP in the third example:
X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
X-Forwarded-For: 203.0.113.195
X-Forwarded-For: 203.0.113.195, 2001:db8:85a3:8d3:1319:8a2e:370:7348
Directives
The <client> directive provides the IP address of the client making the request, which helps identify the source of the incoming connection.
When a client establishes a direct connection to a server, the client’s IP address is transmitted to the server, often being recorded in server access logs. If the connection passes through any forward or reverse proxies, the server typically only detects the final proxy’s IP address, which may be of limited utility. This issue becomes more pronounced if the final proxy is a load balancer within the same deployment as the server.
To transmit a more accurate client IP address to the server, the X-Forwarded-For
request header is employed. For detailed instructions on utilizing this header, refer to the sections on parsing and selecting an IP address.
This header exposes sensitive privacy information by design, so it is crucial to handle it with care. If all proxies in the request chain are trusted and correctly configured, the parts of the header added by these proxies can be trusted. However, if any proxy is malicious or misconfigured, spoofing or incorrect data may occur, rendering parts of the header unreliable. Even when behind a trusted reverse proxy, the server cannot fully trust X-Forwarded-For
IPs if a direct internet connection exists. Any security-related features such as rate limiting or IP-based controls should only rely on IPs added by trusted proxies. Using untrustworthy IPs can lead to bypassed restrictions, security vulnerabilities, or system overloads.
Untrusted, leftmost IP values should only be used in situations where their potential for spoofing does not pose security risks.
Improper parsing of the X-Forwarded-For
header can have security implications, including those mentioned earlier. Consider these points when parsing: multiple X-Forwarded-For
headers may be present; their IPs should be treated as a sequence starting from the first IP in the first header to the last IP in the last header. To form this sequence, either join all header values with commas and split by comma or split each header individually and then combine the lists. Using only one header is insufficient, as some proxies may join multiple headers automatically, but this behavior should not be assumed.
When choosing an IP address from the complete list, it must include all IPs from all X-Forwarded-For
headers. The closest to the client (not for security use) can be the first valid, non-private IP from the leftmost position. Note that spoofed values may not be actual IP addresses, and internal client networks may have added addresses from private IP spaces.
To select the first trustworthy client IP, additional configuration is necessary, typically one of two methods:
The number of reverse proxies between the internet and the server is configured. The IP list is examined from the right, skipping the number of proxies minus one. For example, with one proxy, the rightmost IP is the client; with three proxies, the last two IPs are internal and should be ignored.
The IP addresses or ranges of trusted proxies are configured. The list is searched from the right, skipping addresses on this list. The first non-trusted address from the right is considered the client IP.
Although the first trustworthy X-Forwarded-For
IP might belong to an intermediate, untrusted proxy, it remains the most reliable identifier of the client for security purposes.
Once set up, Requestly will inject the X-Forwarded-For header with the specified IP address into all matching requests, allowing you to simulate different client IPs for testing geolocation or IP-based access controls.
You might need to modify the X-Forwarded-For header to test how your application responds to requests coming from different IP addresses, especially when your app relies on IP-based rules like security filters or regional content delivery.
Table of Contents