29

Can X-FORWARDED-FOR contain multiple IP addresses? If so, why? An illustrative example would be great.

Hassan Baig
  • 2,325
  • 12
  • 29
  • 48

2 Answers2

36

Yes, if a request is chained through more than one proxy server, then each proxy should add the IP of the preceding one to the existing X-Forwarded-For header so that the entire chain is preserved.

Mike Scott
  • 7,993
  • 31
  • 26
  • I've never seen a proxy that appends to an existing value. Any cite for this? – ceejayoz Apr 25 '17 at 16:24
  • 8
    Personal experience. I have spent a lot of time analysing X-Forwarded-For headers received by a large website, and it's actually not uncommon to see two or three IP addresses in the header. – Mike Scott Apr 25 '17 at 16:25
  • 4
    But also see the Wikipedia article here: https://en.m.wikipedia.org/wiki/X-Forwarded-For. It says "the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from". – Mike Scott Apr 25 '17 at 16:26
  • I wonder if it's one particular proxy doing that. Fascinating. In my experience, nginx doesn't handle it like this. – ceejayoz Apr 25 '17 at 16:26
  • 1
    @ceejayoz if you're using open source projects like nginx and write your header as "SET xff = clientIP" it will never append. _Most_ commercial appliances either append or set if attribute is unavailable http://www.networkinghowtos.com/howto/set-the-x-forwarded-for-header-on-a-nginx-reverse-proxy-setup/ – Jacob Evans Apr 25 '17 at 16:59
  • We use a netscaler. I turned on the option to forward the client's IP to the web server on XFF. For one customer, I got both their public IP and the end user's private IP. Not great. – Art Hill Sep 05 '18 at 23:40
  • Thanks for confirmation. I have seen this case with 5 IPs where we have multiple redirects from our partner. – user205987 Apr 09 '19 at 11:39
  • @ceejayoz I have seen it in our own logs from a DDoS. Two proxies being used by the attackers results in 3 IP addresses in the log. – BadHorsie Mar 19 '20 at 13:02
  • @MikeScott be careful about XFF, as it can be easily forged using tools like ModHeader. There is no guarantee that the leftmost IP is original user IP (so it should not be used for authentication purposes). If you are using Nginx or Apache it is guaranteed that the rightmost IP is the original IP of the last node connected to your server. – Mohsen Nov 10 '22 at 07:59
22

From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

X-Forwarded-For: <client>, <proxy1>, <proxy2>

If a request goes through multiple proxies, the IP addresses of each successive proxy is listed. This means, the right-most IP address is the IP address of the most recent proxy and the left-most IP address is the IP address of the originating client.

Examples:

X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348

X-Forwarded-For: 203.0.113.195

X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178
Giacomo1968
  • 3,542
  • 27
  • 38
Sindre
  • 221
  • 2
  • 2
  • Understood, but quick question is how we can log the left most IP only in XFF in nginx_access_log ? Currrently it print the multiple proxies IPs as well and I require to get the left most IP fromt that list. Considering it is a list, any way to log only the left most IP ? – SAGAR Nair Oct 25 '22 at 06:23
  • As the X-Forwarded for header can be spoofed, you would probably only trust the last IP just before your own proxy ips? – MichaelD Dec 13 '22 at 08:16