X-Forwarded-For (XFF)

x-forwarded-for

What Is X-Forwarded-For?

X-Forwarded-For, abbreviated to XFF, is an HTTP request header used to determine the originating IP address of a user connecting to a service through a proxy, load balancer, or CDN. When using services such as a proxy, load balancer or CDN, without XFF, the origin server’s logs will display the IP address of the last intermediate service instead of the client themselves. This essentially renders the client’s IP anonymous thus making the preventing of abusive activity from a particular IP much harder.

This is where the X-Forwarded-For header comes in as it allows for the IP address of the client to be passed along from the proxy load balancer, or CDN to the server.

Using X-Forwarded-For With a CDN

Taking advantage of the X-Forwarded-For header when using a CDN can also be useful as without it, the IP given to the origin server will be that of the CDN’s POP. The client’s IP is always displayed as the first one on the left with any subsequent proxy or load balancer IP’s thereafter.

X-Forwarded-For: client, proxy1, proxy2

The example below shows what the request header looks like from a KeyCDN edge server. As can be seen, the X-Forwarded-For header is displayed containing the IP address of the client who requested information. This IP address then gets passed along to the origin server to allow the origin server to be able to identify where the request originated from.

GET /foobar.jpg HTTP/1.1
Host: your_origin_host
X-Forwarded-Host: <zonename>-<id>.kxcdn.com
X-Forwarded-For: 178.82.72.134
X-Forwarded-Scheme: http
X-Pull: KeyCDN
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Accept-Language: en-US,en;q=0.8,de;q=0.6,ja;q=0.4
Cookie: foobar

With the information provided by the XFF header, it allows for certain capabilities that would otherwise be impossible without the end user’s IP. Using XFF enables the ability to blacklist certain IPs, redirect particular IP / IP ranges, or even block an end user’s IP that surpasses a certain number of requests per second.

Conclusion

The X-Forwarded-For HTTP header is quite valuable as without it, the IP address of the end client is unknown. Being able to identify a particular client’s IP is useful for reasons such as stopping abusive activity or simply redirecting particular IPs.

The X-Forwarded-For can be taken advantage of from the origin server or in some cases, a CMS plugin such as in the case of Wordfence. For more information on how to use the X-Forwarded-For header on Apache or Nginx, read our article Make use of X-Forwarded-For with a CDN.