Digital Marketing

How to correctly configure your host and retrieve the X-Forwarded-For header value

Here are some common scenarios where you should use the client IP address in your origin server:
  • Serve different content based on the user's location, as determined by the IP address.
  • Check if a logged-in user's session requests are coming from the same machine. This is common in sites such as forums and message boards.
  • Abuse prevention by blocking requests when a large number of them come from a single IP address.
If any of the above situations apply to your site, it is strongly recommend that you change your origin server to use the X-Forwarded-For header. There are no known risks to making this change, even if your site does not currently use the user's IP address, so it is recommended making these changes anyway in case one of these situations apply in the future.

Here are some tips to correctly configure your host and retrieve the X-Forwarded-For header value in common web hosting software:

(Required) Server Software: The following server systems are responsible for managing incoming connections to your origin server.
Apache: Install the mod_remoteip plugin. Please make sure to modify your configuration file (/etc/httpd/conf/httpd.conf) with the updated configuration:
LoadModule remoteip_module /usr/lib64/httpd/modules/
RemoteIPHeader X-Forwarded-For
# put your CDN IP address ranges below

Nginx: Install the ngx_http_realip_module plugin.

IIS: Install the Application Request Routing (ARR) module. After installing ARR, please use the HttpContext.Current.Request.Headers["X-Forwarded-For"] variable.
(Recommended) Server Scripting Language: To maintain full functionality of your existing site, it is recommend using the following server variables to extract the original client's IP address in your code.

PHP: Use the server variable $_SERVER['HTTP_X_FORWARDED_FOR'].
ASP: Use the variable Request.ServerVariables("HTTP_X_FORWARDED_FOR").

(Recommended) Content Management Systems: If you are also using a content management system, we recommend making the following changes, in addition to the ones above.

Wordpress: Install the Reverse-Proxy Comment IP Fix plugin

phpBB: Turn off Session IP validation checks in the Admin->General->Server Configuration->Security Settings and turn ON the VALIDATE X_FORWARDED_FOR HEADER as described in the phpBB documentation.

Value of the X-Forwarded-For header field can be set at the client's side - this can also be termed as X-Forwarded-For spoofing, whether it has gone through a proxy or not. A simple curl -H "X-Forwarded-For:" will achieve this. There are X-Forwarded-For spoof plugins for Firefox and other browsers.

Proxies can be configured to remove this header in order to provide extra privacy for the end user. Many publicly available proxies advertise that they do this. When the web request is made via a proxy server (a non-elite proxy server with low anonymity level), the proxy server modifies the X-Forwarded-For field by appending the IP address of the client (user). This will result in 2 comma separated IP addresses in the X-Forwarded-For field. Hence, the web server, if needed, may detect the use of a proxy server and most likely detect the spoofing. The following article gives an explanation of this with a Python code sample X-Forwarded-For Spoofing.

Although you could check all of the IP addresses found in the comma-delimited list and block or allow access based on any of them, the two above points mean that it is not difficult for any client to completely alter those headers. The access control would not be reliable. The information useful only at a statistical level - trending, pattern analysis, etc, there can definitely be some value in collecting and logging those headers. Just don't do anything that solely relies on them. 


Popular posts from this blog