Original Publication Date: 11/04/2010
Updated Date: 09/18/2014
Overview of the X-Forwarded-For header
Servers commonly insert an additional HTTP header, the X-Forwarded-For header, when they proxy an HTTP request to another server. The value inserted for the header is the source IP address from which the server received the request. As a result, subsequent proxy servers and the endpoint web server can extract the original requesting client's IP address, rather than the proxy client's IP address, for applications that need this data. When multiple servers proxy the same connection, each server usually concatenates its own IP to the header value after any extant IPs in the value. Thus, the right-most value is the most recent (for the endpoint server) and the left-most value is the IP address of the originating client. Alternatively, a proxy may append its own X-Forwarded-For header to the request, making the original client IP the first value.
For example, IP addresses may be represented in one header:
IP addresses may also be represented in multiple headers:
Trusting X-Forwarded-For headers in the BIG-IP ASM system
In BIG-IP ASM versions prior to 10.1.0, the X-Forwarded-For header is not supported because the data can be easily forged. All logging, forensics, and statistics in the BIG-IP ASM system use the source IP address in the packet. Beginning in BIG-IP ASM 10.1.0, you can instruct the BIG-IP ASM system to trust the X-Forwarded-For header and use the IP address information in the HTTP header instead of the source IP of the packet if the BIG-IP ASM system is deployed behind an internal or other trusted proxy. You can enable this feature in the Configuration utility by selecting the Trust XFF Header check box in the security policy properties advanced configuration settings.
Determining which XFF value the BIG-IP ASM system will trust
As X-Forwarded-For implementation is non-standardized, different servers do not always use it consistently. While some servers append their IP address to the existing X-Forwarded-For header value list, others may append their own additional X-Forwarded-For header. For logging, forensics, and so on, the IP address that the BIG-IP ASM system uses when Trust-XFF is enabled is as follows:
For example, in the following X-Forwarded-For header, the BIG-IP ASM system uses IP address 172.16.33.100:
X-Forwarded-For: 172.16.2.66, 172.16.2.103, 172.16.33.100
If you require the BIG-IP ASM system to trust a server further than one hop toward the client (the last proxy traversed), you can use the Custom XFF Headers setting to define a specific header that is inserted closer to, or at the client, that the BIG-IP ASM system will trust. Additionally, if you require the BIG-IP ASM system to trust a proxy server that uses a different header name than the X-Forwarded-For header name, you can add the desired header name to the Custom XFF Headers setting. For information about configuring the Custom XFF Headers settings, refer to the Configuration Guide for BIG-IP Application Security Manager.