Http header X-Forwarded-For can be used to get the IP address of the REAL client, especially in a network with proxies and load balancers.
X-Forwarded-For(XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer. When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used.
The syntax is,
X-Forwarded-For: <client>, <proxy1>, <proxy2> X-Forwarded-For: 203.0.113.195, 126.96.36.199, 188.8.131.52
When a Http request flows through a proxy, the proxy appends its IP address to
(if it respects this header).
X- headers are not recommended anymore,
Custom proprietary headers can be added using the ‘X-‘ prefix, but this convention was deprecated in June 2012.
a standardized and enhanced header, Forwarded, is introduced.
# the original request is from 192.0.2.60, and passed through proxy 203.0.113.43 Forwarded: for=192.0.2.60; proto=http; by=203.0.113.43 # client can also append some obfuscated identifier like "secret" here, server can # then use it validate the integrity of a client. Forwarded: for=184.108.40.206;secret=egah2CGj55fSJFs, for=10.1.2.3