26

Can X-FORWARDED-FOR contain multiple IP addresses? If so, why? An illustrative example would be great.

Hassan Baig
  • 2,033
  • 11
  • 27
  • 47

2 Answers2

33

Yes, if a request is chained through more than one proxy server, then each proxy should add the IP of the preceding one to the existing X-Forwarded-For header so that the entire chain is preserved.

Mike Scott
  • 7,903
  • 29
  • 26
  • I've never seen a proxy that appends to an existing value. Any cite for this? – ceejayoz Apr 25 '17 at 16:24
  • 6
    Personal experience. I have spent a lot of time analysing X-Forwarded-For headers received by a large website, and it's actually not uncommon to see two or three IP addresses in the header. – Mike Scott Apr 25 '17 at 16:25
  • 4
    But also see the Wikipedia article here: https://en.m.wikipedia.org/wiki/X-Forwarded-For. It says "the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from". – Mike Scott Apr 25 '17 at 16:26
  • I wonder if it's one particular proxy doing that. Fascinating. In my experience, nginx doesn't handle it like this. – ceejayoz Apr 25 '17 at 16:26
  • 1
    @ceejayoz if you're using open source projects like nginx and write your header as "SET xff = clientIP" it will never append. _Most_ commercial appliances either append or set if attribute is unavailable http://www.networkinghowtos.com/howto/set-the-x-forwarded-for-header-on-a-nginx-reverse-proxy-setup/ – Jacob Evans Apr 25 '17 at 16:59
  • We use a netscaler. I turned on the option to forward the client's IP to the web server on XFF. For one customer, I got both their public IP and the end user's private IP. Not great. – Art Hill Sep 05 '18 at 23:40
  • Thanks for confirmation. I have seen this case with 5 IPs where we have multiple redirects from our partner. – user205987 Apr 09 '19 at 11:39
  • @ceejayoz I have seen it in our own logs from a DDoS. Two proxies being used by the attackers results in 3 IP addresses in the log. – BadHorsie Mar 19 '20 at 13:02
19

From https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

X-Forwarded-For: <client>, <proxy1>, <proxy2>

If a request goes through multiple proxies, the IP addresses of each successive proxy is listed. This means, the right-most IP address is the IP address of the most recent proxy and the left-most IP address is the IP address of the originating client.

Examples:

X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348

X-Forwarded-For: 203.0.113.195

X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178
Sindre
  • 191
  • 1
  • 2