Applies To:

Show Versions Show Versions

sol12264: Overview of the Trusted X-Forwarded-For header
OverviewOverview

Original Publication Date: 11/04/2010
Updated Date: 04/14/2014

Overview of the X-Forwarded-For header

Servers commonly insert an additional HTTP header, the X-Forwarded-For header, when they proxy an HTTP request to another server. The value inserted for the header is the source IP address from which the server received the request. As a result, subsequent proxy servers and the endpoint web server can extract the original requesting client's IP address, rather than the proxy client's IP address, for applications that need this data. When multiple servers proxy the same connection, each server usually concatenates its own IP to the header value after any extant IPs in the value. Thus, the right-most value is the most recent (for the endpoint server) and the left-most value is the IP address of the originating client. Alternatively, a proxy may append its own X-Forwarded-For header to the request, making the original client IP the first value.

For example, IP addresses may be represented in one header:

  • X-Forwarded-For:  Client-IP, Proxy1-IP, Proxy2-IP

IP addresses may also be represented in multiple headers:

  • X-Forwarded-For: Client-IP
  • X-Forwarded-For: Proxy1-IP
  • X-Forwarded-For: Proxy2-IP

Trusting X-Forwarded-For headers in the BIG-IP ASM system

In BIG-IP ASM versions prior to 10.1.0, the X-Forwarded-For header is not supported because the data can be easily forged. All logging, forensics, and statistics in the BIG-IP ASM system use the source IP address in the packet. Beginning in BIG-IP ASM 10.1.0, you can instruct the BIG-IP ASM system to trust the X-Forwarded-For header and use the IP address information in the HTTP header instead of the source IP of the packet if the BIG-IP ASM system is deployed behind an internal or other trusted proxy. You can enable this feature in the Configuration utility by selecting the Trust XFF Header check box in the security policy properties advanced configuration settings.

Determining which XFF value the BIG-IP ASM system will trust

As X-Forwarded-For implementation is non-standardized, different servers do not always use it consistently. While some servers append their IP address to the existing X-Forwarded-For header value list, others may append their own additional X-Forwarded-For header. For logging, forensics, and so on, the IP address that the BIG-IP ASM system uses when Trust-XFF is enabled is as follows:

  • If multiple X-Forwarded-For headers are present, the BIG-IP ASM system uses the last header.
  • If multiple IP addresses are present in the X-Forwarded-For header, the BIG-IP ASM system uses the last IP address in the header.

    For example, in the following X-Forwarded-For header, the BIG-IP ASM system uses IP address 172.16.33.100:

    X-Forwarded-For: 172.16.2.66, 172.16.2.103, 172.16.33.100

  • If the X-Forwarded-For header value is empty, or the header format is non-RFC compliant, the BIG-IP ASM system uses the source IP of the packet.
  • If X-Forwarded-For is enabled on the HTTP profile associated with the virtual server on the BIG-IP system, the BIG-IP ASM system uses the value of the X-Forwarded-For header inserted by the HTTP profile, which is the source IP of the ingress packet.

If you require the BIG-IP ASM system to trust a server further than one hop toward the client (the last proxy traversed), you can use the Custom XFF Headers setting to define a specific header that is inserted closer to, or at the client, that the BIG-IP ASM system will trust. Additionally, if you require the BIG-IP ASM system to trust a proxy server that uses a different header name than the X-Forwarded-For header name, you can add the desired header name to the Custom XFF Headers setting. For information about configuring the Custom XFF Headers settings, refer to the Configuration Guide for BIG-IP Application Security Manager.

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)