How to correctly configure your host and retrieve the X-Forwarded-For header value
Here are some common scenarios where you should use the client IP address in your origin server:
Here are some tips to correctly configure your host and retrieve the X-Forwarded-For header value in common web hosting software:
(Required) Server Software: The following server systems are responsible for managing incoming connections to your origin server.
Apache: Install the mod_remoteip plugin. Please make sure to modify your configuration file (/etc/httpd/conf/httpd.conf) with the updated configuration:
LoadModule remoteip_module /usr/lib64/httpd/modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For
# put your CDN IP address ranges below
RemoteIPInternalProxy 0.0.0.0/0 1.1.1.1/1 2.2.2.2/2
Nginx: Install the ngx_http_realip_module plugin.
IIS: Install the Application Request Routing (ARR) module. After installing ARR, please use the HttpContext.Current.Request.Headers["X-Forwarded-For"] variable.
PHP: Use the server variable $_SERVER['HTTP_X_FORWARDED_FOR'].
ASP: Use the variable Request.ServerVariables("HTTP_X_FORWARDED_FOR").
(Recommended) Content Management Systems: If you are also using a content management system, we recommend making the following changes, in addition to the ones above.
Wordpress: Install the Reverse-Proxy Comment IP Fix plugin
phpBB: Turn off Session IP validation checks in the Admin->General->Server Configuration->Security Settings and turn ON the VALIDATE X_FORWARDED_FOR HEADER as described in the phpBB documentation.
Value of the X-Forwarded-For header field can be set at the client's side - this can also be termed as X-Forwarded-For spoofing, whether it has gone through a proxy or not. A simple curl -H "X-Forwarded-For: 127.0.0.1" http://example.com will achieve this. There are X-Forwarded-For spoof plugins for Firefox and other browsers.
Proxies can be configured to remove this header in order to provide extra privacy for the end user. Many publicly available proxies advertise that they do this. When the web request is made via a proxy server (a non-elite proxy server with low anonymity level), the proxy server modifies the X-Forwarded-For field by appending the IP address of the client (user). This will result in 2 comma separated IP addresses in the X-Forwarded-For field. Hence, the web server, if needed, may detect the use of a proxy server and most likely detect the spoofing. The following article gives an explanation of this with a Python code sample X-Forwarded-For Spoofing.
Although you could check all of the IP addresses found in the comma-delimited list and block or allow access based on any of them, the two above points mean that it is not difficult for any client to completely alter those headers. The access control would not be reliable. The information useful only at a statistical level - trending, pattern analysis, etc, there can definitely be some value in collecting and logging those headers. Just don't do anything that solely relies on them.
- Serve different content based on the user's location, as determined by the IP address.
- Check if a logged-in user's session requests are coming from the same machine. This is common in sites such as forums and message boards.
- Abuse prevention by blocking requests when a large number of them come from a single IP address.
Here are some tips to correctly configure your host and retrieve the X-Forwarded-For header value in common web hosting software:
(Required) Server Software: The following server systems are responsible for managing incoming connections to your origin server.
Apache: Install the mod_remoteip plugin. Please make sure to modify your configuration file (/etc/httpd/conf/httpd.conf) with the updated configuration:
LoadModule remoteip_module /usr/lib64/httpd/modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For
# put your CDN IP address ranges below
RemoteIPInternalProxy 0.0.0.0/0 1.1.1.1/1 2.2.2.2/2
Nginx: Install the ngx_http_realip_module plugin.
IIS: Install the Application Request Routing (ARR) module. After installing ARR, please use the HttpContext.Current.Request.Headers["X-Forwarded-For"] variable.
(Recommended) Server Scripting Language: To maintain full functionality of your existing site, it is recommend using the following server variables to extract the original client's IP address in your code.
PHP: Use the server variable $_SERVER['HTTP_X_FORWARDED_FOR'].
ASP: Use the variable Request.ServerVariables("HTTP_X_FORWARDED_FOR").
(Recommended) Content Management Systems: If you are also using a content management system, we recommend making the following changes, in addition to the ones above.
Wordpress: Install the Reverse-Proxy Comment IP Fix plugin
phpBB: Turn off Session IP validation checks in the Admin->General->Server Configuration->Security Settings and turn ON the VALIDATE X_FORWARDED_FOR HEADER as described in the phpBB documentation.
Value of the X-Forwarded-For header field can be set at the client's side - this can also be termed as X-Forwarded-For spoofing, whether it has gone through a proxy or not. A simple curl -H "X-Forwarded-For: 127.0.0.1" http://example.com will achieve this. There are X-Forwarded-For spoof plugins for Firefox and other browsers.
Proxies can be configured to remove this header in order to provide extra privacy for the end user. Many publicly available proxies advertise that they do this. When the web request is made via a proxy server (a non-elite proxy server with low anonymity level), the proxy server modifies the X-Forwarded-For field by appending the IP address of the client (user). This will result in 2 comma separated IP addresses in the X-Forwarded-For field. Hence, the web server, if needed, may detect the use of a proxy server and most likely detect the spoofing. The following article gives an explanation of this with a Python code sample X-Forwarded-For Spoofing.
Although you could check all of the IP addresses found in the comma-delimited list and block or allow access based on any of them, the two above points mean that it is not difficult for any client to completely alter those headers. The access control would not be reliable. The information useful only at a statistical level - trending, pattern analysis, etc, there can definitely be some value in collecting and logging those headers. Just don't do anything that solely relies on them.
Comments
Post a Comment