Make Use of X-Forwarded-For with a CDN

By Jonas Krummenacher
Updated on January 15, 2023
Make Use of X-Forwarded-For with a CDN

The X-Forwarded-For (XFF) HTTP header field is a de facto standard for identifying the originating IP address of a client connecting to a web server through a content delivery network (CDN). KeyCDN forwards this HTTP header to any origin server of a Pull Zone.

About X-Forwarded-For

Without the XFF HTTP header or any other similar technique, a connection through a CDN would only reveal the IP of the POP but not the end client. In this case, the end client would be anonymous. Any abusive usage of a particular end client could not be mitigated easily since it is hiding behind a CDN.

If a request is going through a chain of proxies, the end client IP will always be the first one on the left. All other IPs from the CDN and the proxies will be concatenated like this:

X-Forwarded-For: client, proxy1, proxy2

Why X-Forwarded-For can be very useful

As soon as the end client IP is provided to the origin server, any rule can be implemented to handle client IPs differently. Some scenarios could be:

  • Block end user IPs that surpass a certain threshold of requests per second.
  • Redirect particular IPs or IP ranges
  • Blacklist certain IPs by default

Take advantage of XFF

Some CMS security plugins support rules in order to manage the X-Forwarded-For header. Wordfence for WordPress might be one of the plugins that you want to consider for rate limiting since they also support the X-Forwarded-For HTTP header. If a CMS security plugin is not suitable for you, you can still manage the X-Forwarded-For header directly in your web server. Here some examples:

  • Nginx rate limiting with limit_req_zone:

    limit_req_zone $http_x_forwarded_for zone=zone:16m rate=1r/s;
  • Nginx redirect a certain end client IP:

    if ($http_x_forwarded_for = "") {
        rewrite ^$request_uri;

There are also various Apache plugins available for managing client IPs and X-Forwarded-For. mod_security lets you define a SecRule for X-Forwarded-For. mod_evasive is one other plugin that let's you apply evasive actions for Apache.

  • Share

Supercharge your content delivery 🚀

Try KeyCDN with a free 14 day trial, no credit card required.

Get started


Comment policy: Comments are welcomed and encouraged. However, all comments are manually moderated and those deemed to be spam or solely promotional in nature will be deleted.
  • **bold**
  • `code`
  • ```block```
KeyCDN uses cookies to make its website easier to use. Learn more