X-Forwarding

About this task

A common standard, X-forwarding enables the tracking of the originating IP address of a client that is connecting to a server through multiple servers, such as proxy servers or load balancers.

  • When enabled, the HTTP_X_FORWARDING field can be populated with the IP addresses of each server that is reviewed and forwarded the request.
  • When content is returned from the origin web server, it is passed through each server that is listed in the HTTP_X_FORWARDING field. Each server removes the reference to it in the field and then passes it to the next server in the chain.
  • In this manner, content can be passed through multiple servers between the requesting client and the supplying origin server.
  • Use of port numbers in the IP address (for example, <ip_address>:XXXX) is not supported.
  • If a CLIENT_IP header is available, it can be preferable to use this for the X-Forwarding source, as it typically contains only one IP address.

Depending on how your web application is configured, you can define through the DNCA the header field that is used to specify the HTTP_X_FORWARDING field. This field then points to the field that is the source of the IP address, in either IPv4 or IPv6 format.

Note: Although not required, the X-forwarding feature can be used to manage forwarding for both IPv4 and IPv6 addresses.
You can configure the source of the REMOTE_ADDR address value that is inserted into the DNCA.

Procedure

  1. To enable X-forwarding, click the Enable check box.
  2. Enter the field Name value the HTTP request header variable name that contains the X-Forwarding IP address. 
    • 
HTTP_X_FORWARDED_FOR
X_FORWARDED_FOR
X-FORWARDED-FOR
      Note: The field name is case-sensitive.
      Note: If the X-forwarding source field can contain multiple IP addresses, each IP address must be separated by a comma. Semi-colon or other field delimiters are not supported; in a multi-entry line, the first address is used if it is properly demarcated. Otherwise, the entire line is used and is not processed properly.
  3. Click Save Changes.

Results

When X-forwarding is enabled through the Pipeline tab, the specified header field is scanned for the name of the field in the request to use for REMOTE_ADDR. This field is then scanned for the value to insert into REMOTE_ADDR.

  • The search is case-sensitive.
  • The identified field is scanned for correct formatting. If no matching value is found, no action is taken, and REMOTE_ADDR is populated normally.

If a match is found, the value is inserted into REMOTE_ADDR, and the previous value is inserted into the request variable REMOTE_ADDR_ORIG.

Example (IPv4)

About this task


REMOTE_ADDR=10.20.30.40
IPV6_REMOTE_ADDR=0000:0000:0000:0000:0000:FFFF:0A14:1E28
REMOTE_ADDR_ORIG=10.10.28.82

Example (IPv6)

About this task


REMOTE_ADDR=abcd::100:B200:CD10:10
IPV6_REMOTE_ADDR=ABCD:0000:0000:0000:0100:B200:CD10:0010
REMOTE_ADDR_ORIG=10.10.28.82