Talk:X-Forwarded-For

This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Internet High‑importance This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet articles High This article has been rated as High-importance on the project's importance scale.

This article is prone to spam. Please monitor the References and External links sections.

The article starts off with an example of a `Forwarded` (not `X-Forwarded-For`) header. It's fine to say that the `Forwarded` header is meant to be the replacement for `X-Forwarded-For` but the example should be in a separate article about that header, or in a separate section lower on the page, or omitted entirely. — Preceding unsigned comment added by 65.157.26.58 (talk) 18:08, 17 August 2016 (UTC)[reply]

Agreed. I went ahead and moved it to the already-existing Alternatives section. Orenwolf (talk) 18:45, 17 August 2016 (UTC)[reply]

What's the difference [between X-Forwarded-For and Client-IP]? —Preceding unsigned comment added by 58.136.73.164 (talk) 02:40, November 3, 2006 (UTC)

It would be nice to list the various permutations and the vendors that use them. I've got some code I've been using some variety of for about 10 years that collects eight headers beyond the remote IP:

• Client-IP
• Coming-From
• Forwarded-For
• Forwarded
• X-Coming-From
• X-Forwarded-For
• X-Forwarded
• and Via, which just names the proxy server platform

I found these so long ago that I'm sure many of them are extinct in the wild, and I didn't record the sources when I originally collected them anyway. — Brianary (talk) 17:02, 20 October 2008 (UTC)[reply]

According to HAProxy, Zeus Web Servers require X-Cluster-Client-IP.

216.94.210.146 (talk) 14:18, 2 October 2009 (UTC)[reply]

The "Format" section of this article current says the following:

The general format of the header is:

X-Forwarded-For: client1, proxy1, proxy2

where the value is a comma+space separated list of IP addresses, the left-most being the farthest downstream client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed proxy1, proxy2, and proxy3 (proxy3 appears as the client).

But there is no "proxy3" in the example. The numbering implies that the example should read:

X-Forwarded-For: client1, proxy1, proxy2, proxy3

but then the text would seem to be saying that XFF would report the client IP at both the front and back of the chain, which makes no sense. Is this suppose to be saying "proxy3 being the IP that appears to be the client" to some component in this situation, like the end-user application or some network report? If so, the prose should say this, and the example should include the "proxy3". As it is, it makes no sense to someone not versed in XFF, who is the intended audience of the article. (Why would someone who knows XFF need the information?) I'd fix this myself, but I don't know whether this is a technical error or actual confusion of the editors. ~ Jeff Q (talk) 01:06, 25 October 2007 (UTC)[reply]

Jeffq: You are right. I had to read this page to interpret what was being said. Re-wording would probably be nice. —Preceding unsigned comment added by 70.235.23.97 (talk) 06:20, 23 December 2007 (UTC)[reply]

I did some clarifications to the article text and a note about security considerations, hope you like it. - 83.254.215.235 (talk) 09:45, 19 March 2008 (UTC)[reply]

The article doesn't seem to say why proxies would want to add this header on to the request. I think one reason is that, since servers often block abusive users by IP address, by providing an accurate X-Forwarded-For header the proxy administrator can reduce the chance that legitimate users on the same proxy are blocked along with the abusive proxy users. --Thenickdude (talk) 06:01, 8 September 2009 (UTC)[reply]

For provy administrators, it's important to allow sites to accurately report abuse. When abusers use a proxy, this header allows them to be identified accurately by the remote site (with the help of the proxy administrator). Since anyone can set this header on their HTTP requests it should never be assumed to be accurate unless if you can trust the proxy (often the case when the proxy is a local load-balancer or reverse-proxy).

This header is also widely used with load-balancers and reverse proxies to allow passing the remote user's IP address to the web servers behind them for geo-targeting or blocking abusers by their IP Address

216.94.210.146 (talk) 14:28, 2 October 2009 (UTC)[reply]

In the Proxy servers and caching engines section, there is an advertisement for a specific product for IIS to log IPs from X-Forwarded-For headers. There are other alternatives and there is no reason this specific product be listed here. I will remove it.

For example there is this one which is community-supported and free: http://devcentral.f5.com/downloads/codeshare/F5XForwardedFor.zip

216.94.210.146 (talk) 14:40, 2 October 2009 (UTC)[reply]

HTTP_X_FORWARDED_FOR seems to be a common incarnation of this, but I can't seem to find any origins. It would be interesting to see which proxies use this over "X-FORWARDED-FOR" as documented in this article. --Hm2k (talk) 08:17, 26 April 2011 (UTC)[reply]

HTTP_X_FORWARDED_FOR is what CGI and related interfaces rename the X-Forwarded-For header to the CGI environment. BCoates (talk) 22:07, 26 September 2011 (UTC)[reply]

Hello fellow Wikipedians,

I have just modified one external link on X-Forwarded-For. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

• Added archive http://web.archive.org/web/20080329064413/http://varnish.projects.linpro.no:80/wiki/FAQ to http://varnish.projects.linpro.no/wiki/FAQ#HowcanIlogtheclientIPaddressonthebackend
• Added {{dead link}} tag to http://support.citrix.com/article/CTX121834

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{

This message was posted before February 2018.

• If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
• If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 13:19, 21 July 2016 (UTC)[reply]

Can anyone find a source that actually shows that the order is 'client, proxy1, proxy2...'? The link referenced there (http://www.squid-cache.org/Doc/config/follow_x_forwarded_for/) does not explicitly state this, and I have found other references that indicate this is not always the case. Amazon's documentation, for instance, lists the exact opposite (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html) Childofsoong (talk) 22:13, 3 October 2017 (UTC)[reply]

Here is one https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For 202.156.116.71 (talk) 06:28, 1 September 2018 (UTC)[reply]

I am looking into Trusted X-Forwarded-For as mentioned here[1] Does anyone know anything about this? Are forged X-Forwarded-For headers a common thing? --Guy Macon (talk) 12:35, 16 June 2021 (UTC)[reply]

I removed the "Proxy servers and caching engines" section. What little info it contained exists elsewhere in the article. It also included a product mention and it seems like it's not the first time it was a target (see topic above: "Advertisement in article"). I don't see a reason in keeping it around. Teddyrupskin (talk) 00:08, 23 February 2023 (UTC)[reply]