Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR?

I understand that a header HTTP_X_FORWARDED_FOR is set by proxy servers to identify the ip-address of the host that is making the HTTP request through the proxy. I've heard claims that the header HTTP_CLIENT_IP is set for similar purposes.

  1. What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR?
  2. Why would one have different values than the other?
  3. Where can I find resources on the exact definition of these headers.
like image 341
Ethan Heilman Avatar asked Sep 16 '11 13:09

Ethan Heilman


People also ask

What is Http_x_forwarded_for?

HTTP_X_FORWARDED_FOR is often used to detect the client IP address, but without any additional checks, this can lead to security issues, especially when this IP is later used for authentication or in SQL queries without sanitization.

What is true client IP header?

True-Client-IP is a solution that allows Cloudflare users to see the end user's IP address, even when the traffic to the origin is sent directly from Cloudflare.

What is remote address header?

REMOTE_HOST pertains to the hostname of the client (i.e. the computer making the request). REMOTE_ADDR refers to the IP address of the client. There would be times when the hostname is unresolvable so the REMOTE_HOST will return the REMOTE_ADDR or the IP address instead. Follow this answer to receive notifications.

Is there a standard HTTP header to insert proxy client IP?

Before 2014, there was no standard http header to insert proxies client ip. The most common non standard http header was X-Forwarded-For. Some other proxy / reverse proxy use true-cient-ip (like Akamai) RFC 7239 describe new standard but is not well deployed yet.

What is the difference between TCP/IP and HTTP?

Difference Between TCP/IP and HTTP is that TCP/ IP is a network standard, specifically a protocol, that defines how messages (data) are routed from one end of a network to the other. While The http, which stands for Hypertext Transfer Protocol, is a set of rules that defines how pages transfer on the Internet.

Is the X-Forwarded-For header a reliable indicator of the real IP?

So the presence of a X-Forwarded-for (or "Via", or some other variants) is not a reliable indicator of the real IP. The absence of such a header is not an indicator of a direct connection.

How to insert XFF header for proxy client IP?

So in order to let the server know who is behind the reverse proxy, the F5 can insert the XFF header with the client addr. In that manner, once the request is forwarded to the client it can process this info. Hope it clarifies. 19-Sep-2017 22:30 19-Sep-2017 23:20 Before 2014, there was no standard http header to insert proxies client ip.


1 Answers

Neither of these headers are officially standardised. Therefore:

  1. What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR? - it is impossible to say. Different proxies may implement these, or may not. The implementations may vary from one proxy to the next, and they may not. A lack of a standard breeds question marks.
  2. Why would one have different values than the other? - See point 1. However, from a purely practical point of view, the only reason I can see for these having different values is if more than one proxy was involved - the X-Forwarded-For: header might then contain a complete track of the forwarding chain, whereas the Client-IP: header would contain the actual client IP. This is pure speculation, however.
  3. Where can I find resources on the exact definition of these headers. - You can't. See point 1.

There does seem to be some kind of de-facto standard regarding the X-Forwarded-For: header, but given that there is no RFC that defines it this cannot be relied upon see comment below.

As a side note, the Client-IP: header should by convention be X-Client-IP: since it is a 'user-defined' header.

like image 66
DaveRandom Avatar answered Sep 22 '22 19:09

DaveRandom