HTTP_X_FORWARDED_FOR ?

V

Victor

Is there any official documentation on Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

Thanks,

Vic
 
A

Anthony Jones

Victor said:
Is there any official documentation on Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.
 
V

Victor

...

The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.

Ah! So, if Request.ServerVariables("HTTP_X_FORWARDED_FOR") is not empty, and if it
contains a comma seperated list of IP addresses, then the very first IP address is the
user's real IP address? So, in my original example:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

the user's IP address is definitely IPaddress1?

Since it is not a standard, is there a draft document I can reference?

Thanks,

Vic
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top