X-Forwarded-For

X-Forwarded-For

The X-Forwarded-For (XFF) HTTP header is a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy. This is a non-RFC-standard request header which was introduced by the Squid caching proxy server's developers.

In this context, the caching servers are most often those of large ISPs who either encourage or force their users to use proxy servers for access to the World Wide Web, something which is often done to reduce external bandwidth through caching. In some cases, these proxy servers are transparent proxies, and the user may be unaware that they are using them.

Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address was available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.

Format

The general format of the header is:

X-Forwarded-For: client1, proxy1, proxy2

where the value is a comma+space separated list of IP addresses, the left-most being the farthest downstream client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed proxy1, proxy2 and proxy3 (proxy3 appears as remote address of the request).

Since it is easy to forge a X-Forwarded-For header the given information should be used with care. The last IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.

In a forward proxy scenario you can track the real client IP on your network through an internal proxy chain and log that IP address on a gateway device. For security reasons, your gateway device should strip any X-Forwarded-For before sending the request to the Internet. You should be able to trust X-Forwarded-For information in this scenario as it is all generated within your network.

In a reverse proxy scenario you can track the real IP of a client on the Internet accessing your web server, even if your web server is not routable from the Internet - i.e. it is behind a layer 7 proxy device. You should NOT trust all X-Forwarded-For information in this scenario as you may have received bogus information from the Internet. As such a trust list should be used to make sure that proxy IP's in the X-Forwarded-For header are trusted by you.

Just logging the X-Forwarded-For header is not always enough as the last proxy IP in a chain is not contained within the X-Forwarded-For header, it is in the actual layer 4 IP connection. A web server should log BOTH the layer 4 source IP and the X-Forwarded-For header information for completeness.

Software

X-Forwarded-For header is supported by most proxy servers, including Squid [ [http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-3518b69c63e221cc3cd7885415e365ffaf3dd27f SquidFaq/ConfiguringSquid - Squid Web Proxy Wiki] ] , Apache mod_proxy [ [http://httpd.apache.org/docs/trunk/mod/mod_proxy.html mod_proxy - Apache HTTP Server] ] , Pound [ [http://www.apsis.ch/pound/ Pound proxy] , under "Request Logging"] , Varnish cache [ [http://varnish.projects.linpro.no/wiki/FAQ#HowcanIlogtheclientIPaddressonthebackend Varnish FAQ] regarding logging] , IronPort Web Security Appliance [ [http://www.ironport.com/products/web_security_appliances.html IronPort Web Security Appliances] ] , Radware AppXcel, F5 Big-IP [ [http://devcentral.f5.com/weblogs/macvittie/archive/2008/06/02/3323.aspx Using "X-Forwarded-For" in Apache or PHP ] ] , Blue Coat ProxySG, Cisco Cache Engine, Finjan's Vital Security, NetApp NetCache, jetNEXUS , Crescendo Networks' Maestro, and Microsoft ISA Server 2004/2006 with Winfrasoft X-Forwarded-For for ISA Server [ [http://www.winfrasoft.com/X-Forwarded-For.htm Winfrasoft X-Forwarded-For for ISA Server] , - supports logging, forward and reverse proxy.] .

X-Forwarded-For header logging is supported by many web servers including Apache and Microsoft IIS 6.0 & 7.0 with the addition of Winfrasoft X-Forwarded-For for IIS [ [http://www.winfrasoft.com/X-Forwarded-For.htm Winfrasoft X-Forwarded-For for IIS] , - supports logging and trusts lists.] .

ee also

* Internet privacy
* List of proxy software

References

External links

* Apache [http://www.openinfo.co.uk/apache/index.html mod_extract_forwarded]


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • X-Forwarded-For — Der X Forwarded For (XFF) ist ein De facto Standard HTTP Header Eintrag im Internet. Der Header dient dazu, die IP Adresse des Benutzers zu übermitteln, wenn dieser durch einen Proxy auf einen Webserver zugreift. Meistens gehören diese Proxys zu… …   Deutsch Wikipedia

  • Forwarded — Forward For ward, v. t. [imp. & p. p. {Forwarded}; p. pr. & vb. n. {Forwarding}.] 1. To help onward; to advance; to promote; to accelerate; to quicken; to hasten; as, to forward the growth of a plant; to forward one in improvement. [1913 Webster] …   The Collaborative International Dictionary of English

  • Society for the Propagation of the Faith —     The Society for the Propagation of the Faith     † Catholic Encyclopedia ► The Society for the Propagation of the Faith     This society is an international association for the assistance by prayers and alms of Catholic missionary priests,… …   Catholic encyclopedia

  • Progress For America — (PFA) (a 501(c)(4)) and its affiliate Progress for America Voter Fund (PFA VF) (a 527 committee) are national tax exempt organizations in the United States.PFA was established in 2001 to support George W. Bush s agenda for America. The PFA Voter… …   Wikipedia

  • Wikipedia:Criteria for speedy deletion — For requests to hide the contents of edit summaries, see Wikipedia:Oversight. WP:SPEEDY redirects here. For the guideline discussing when to end deletion debates early as keep , see Wikipedia:Speedy keep. For the list of current candidates for… …   Wikipedia

  • British Mandate for Palestine — Mandate for Palestine الانتداب البريطاني على فلسطين המנדט הבריטי על פלשתינה א י Mandate of the United Kingdom …   Wikipedia

  • Proposals for new Australian states — Evolution of Australian states A number of proposals for the creation of additional states in Australia have been made in the past century. However, to date, none have been added to the Commonwealth since Federation in 1901. Many proposals have… …   Wikipedia

  • Proposals for new Australian States — [ Australian states.] A number of proposals for further states of Australia have been made in the past century. So far, no new states have been added to the Commonwealth since Federation in 1901.Most proposals are suggesting an Aboriginal state… …   Wikipedia

  • Critics and Awards Program for High School Students — The Cappies (Critics and Awards Program) is an international program for recognizing, celebrating, and providing learning experiences for high school theater and journalism students and teenage playwrights. There are currently 17 Cappies programs …   Wikipedia

  • United Nations Office for Partnerships — Infobox UN name = UN Office for Partnerships caption = type = Partnerships acronyms = UNOP, UNFIP, UNDEF head = Amir Dossal, Executive Director status = Active established = March 1998 website = http://www.un.org/partnerships parent = UN… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”