I understand that a header HTTP_X_FORWARDED_FOR
is set by proxy servers to identify the ip-address of the host that is making the HTTP request through the proxy. I've heard claims that the header HTTP_CLIENT_IP
is set for similar purposes.
HTTP_CLIENT_IP
and HTTP_X_FORWARDED_FOR
?HTTP_X_FORWARDED_FOR is often used to detect the client IP address, but without any additional checks, this can lead to security issues, especially when this IP is later used for authentication or in SQL queries without sanitization.
True-Client-IP is a solution that allows Cloudflare users to see the end user's IP address, even when the traffic to the origin is sent directly from Cloudflare.
REMOTE_HOST pertains to the hostname of the client (i.e. the computer making the request). REMOTE_ADDR refers to the IP address of the client. There would be times when the hostname is unresolvable so the REMOTE_HOST will return the REMOTE_ADDR or the IP address instead. Follow this answer to receive notifications.
Before 2014, there was no standard http header to insert proxies client ip. The most common non standard http header was X-Forwarded-For. Some other proxy / reverse proxy use true-cient-ip (like Akamai) RFC 7239 describe new standard but is not well deployed yet.
Difference Between TCP/IP and HTTP is that TCP/ IP is a network standard, specifically a protocol, that defines how messages (data) are routed from one end of a network to the other. While The http, which stands for Hypertext Transfer Protocol, is a set of rules that defines how pages transfer on the Internet.
So the presence of a X-Forwarded-for (or "Via", or some other variants) is not a reliable indicator of the real IP. The absence of such a header is not an indicator of a direct connection.
So in order to let the server know who is behind the reverse proxy, the F5 can insert the XFF header with the client addr. In that manner, once the request is forwarded to the client it can process this info. Hope it clarifies. 19-Sep-2017 22:30 19-Sep-2017 23:20 Before 2014, there was no standard http header to insert proxies client ip.
Neither of these headers are officially standardised. Therefore:
What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR?
- it is impossible to say. Different proxies may implement these, or may not. The implementations may vary from one proxy to the next, and they may not. A lack of a standard breeds question marks.Why would one have different values than the other?
- See point 1. However, from a purely practical point of view, the only reason I can see for these having different values is if more than one proxy was involved - the X-Forwarded-For:
header might then contain a complete track of the forwarding chain, whereas the Client-IP:
header would contain the actual client IP. This is pure speculation, however.Where can I find resources on the exact definition of these headers.
- You can't. See point 1.There does seem to be some kind of de-facto standard regarding the X-Forwarded-For:
header, but given that there is no RFC that defines it this cannot be relied upon see comment below.
As a side note, the Client-IP:
header should by convention be X-Client-IP:
since it is a 'user-defined' header.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With