What is X-Forwarded-For? Learn all about this technology and how to implement it correctly while StackPath provides you with resolution to common queries.
The StackPath CDN and WAF automatically include an
x-forwarded-for header, for debugging, statistics, and generating location-dependent content, based on the original request.
x-forwarded-for (XFF) header is the default standard header to identify the client IP address for an original request that was served through a proxy or load balancer.
x-forwarded-for header will include the IP address the request originated from, followed by the IP address of the StackPath server that proxied the request, and request information from the original Client. Most modules will process IPs right-to-left but can be configured to ignore the StackPath IPs, as will be discussed later.
x-forwarded-for: 188.8.131.52, 184.108.40.206
[16/Oct/2018:21:28:36 +0200] freave.nl
"GET /js/app.js HTTP/1.1" 200 275854
"https://yourdomain.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/220.127.116.11 Safari/1.0"
When the StackPath WAF is enabled, the custom
x-sp-forwarded-iponly contains the end-user IP andcan be used in the place of the
x-forwarded-forheader, for both configurations below.
Apache Module Configuration
The Apache Module
mod_remoteip will override the StackPath request IP with the IP provided by a specified header. This will provide the proper client IP address to every service relying on the initial connection.
For most use cases, the
RemoteIPTrustedProxyList directive will perform the desired function of taking the real client IP from StackPath's requests when combined with the StackPath IP blocks. This directive will define which request header to use, and then identify a file that contains the list of trusted proxy IPs. Using this directive will apply the list of trusted IPs to all header processing, and will cause Apache to only show the real client IP to other services.
- Download the text file containing the list of StackPath IPs
- Upload that file to your server, or copy the contents to a new text file over SSH
- Add the following to either your apache configuration file to globally apply the rules, or just the configuration file for the vhost you have integrated with the CDN:
Remember to replace
conf/trusted-proxies.listwith the actual file path to the list of StackPath IPs.
You can learn more from the official Apache documentation regarding the
Nginx Module Configuration
ngx_https_module module can be used to change the client address based on a specified header field. This module is not enabled by default and should be enabled with the
--with-http_realip_module configuration parameter.
With the module enabled, applying the real IP for Nginx is as simple as adding the following text to your configuration file, and including a
set_real_ip_from line for each of StackPath's IP ranges:
#list of trusted IPs ... set_real_ip_from 18.104.22.168/21; set_real_ip_from 22.214.171.124/24; set_real_ip_from 126.96.36.199/21; set_real_ip_from 188.8.131.52/25; #To ignore the trusted IPs, and only use IPs not present on the list real_ip_recursive on; #To specify the header to use for the module real_ip_header x-forwarded-for;
Doing this will allow Nginx to use the real client IP included with the
x-forwarded-for header in place of any of the StackPath IPs. You can learn more from the official Nginx documentation for this module.
If you have any questions or experience any issues, please reach out to our support team.