What is X-Forwarded-For? Learn all about this technology and how to implement it correctly while StackPath provides you with resolution to common queries.
The StackPath CDN and WAF automatically include an x-forwarded-for header, for debugging, statistics, and generating location-dependent content, based on the original request.
About X-Forwarded-For
The x-forwarded-for (XFF) header is the default standard header to identify the client IP address for an original request that was served through a proxy or load balancer.
StackPath's x-forwarded-for header will include the IP address the request originated from, followed by the IP address of the StackPath server that proxied the request, and request information from the original Client. Most modules will process IPs right-to-left but can be configured to ignore the StackPath IPs, as will be discussed later.
For Example:
x-forwarded-for: 1.2.3.4, 151.139.81.55
[16/Oct/2018:21:28:36 +0200] freave.nl
"GET /js/app.js HTTP/1.1" 200 275854
"https://yourdomain.com" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1.0.0.100 Safari/1.0"
When the StackPath WAF is enabled, the customx-sp-forwarded-iponly contains the end-user IP andcan be used in the place of thex-forwarded-forheader, for both configurations below.
Apache Module Configuration
The Apache Module mod_remoteip will override the StackPath request IP with the IP provided by a specified header. This will provide the proper client IP address to every service relying on the initial connection.
For most use cases, the RemoteIPTrustedProxyList directive will perform the desired function of taking the real client IP from StackPath's requests when combined with the StackPath IP blocks. This directive will define which request header to use, and then identify a file that contains the list of trusted proxy IPs. Using this directive will apply the list of trusted IPs to all header processing, and will cause Apache to only show the real client IP to other services.
Implementation
- Download the text file containing the list of StackPath IPs
- Upload that file to your server, or copy the contents to a new text file over SSH
- Add the following to either your apache configuration file to globally apply the rules, or just the configuration file for the vhost you have integrated with the CDN:
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxyList conf/StackPath-ipblocks.txt
Remember to replace conf/trusted-proxies.list with the actual file path to the list of StackPath IPs.
You can learn more from the official Apache documentation regarding the mod_remoteip module.
Nginx Module Configuration
The ngx_https_module module can be used to change the client address based on a specified header field. This module is not enabled by default and should be enabled with the --with-http_realip_module configuration parameter.
Implementation
With the module enabled, applying the real IP for Nginx is as simple as adding the following text to your configuration file, and including a set_real_ip_from line for each of StackPath's IP ranges:
#list of trusted IPs ... set_real_ip_from 209.197.8.0/21; set_real_ip_from 209.197.21.0/24; set_real_ip_from 209.197.24.0/21; set_real_ip_from 209.234.242.0/25; #To ignore the trusted IPs, and only use IPs not present on the list real_ip_recursive on; #To specify the header to use for the module real_ip_header x-forwarded-for;
Doing this will allow Nginx to use the real client IP included with the x-forwarded-for header in place of any of the StackPath IPs. You can learn more from the official Nginx documentation for this module.
If you have any questions or experience any issues, please reach out to our support team.