Using ModHeader to change X-Forwarded-For header
What is X-Forwarded-For header?
X-Forwarded-For (XFF) request header is a de-facto standard header for identifying
the originating IP address of a client connecting to a web server through a proxy server.
When a client connects directly to a server, the client's IP address is sent to the server (and
is often written to server access logs). But if a client connection passes through any forward
or reverse proxies, the server only sees the final proxy's IP address, which is often of little
use. That's especially true if the final proxy is a load balancer which is part of the same
installation as the server. So, to provide a more-useful client IP address to the server, the
X-Forwarded-For request header is used.
X-Forwarded-For: <client>, <proxy1>, <proxy2>
Elements are comma-separated, with optional whitespace surrounding the commas.
The client IP address
- <proxy1>, <proxy2>
If a request goes through multiple proxies, the IP addresses of each successive proxy is listed. This means that, given well-behaved client and proxies, the rightmost IP address is the IP address of the most recent proxy and the leftmost IP address is the IP address of the originating client.
X-Forwarded-For header is untrustworthy when no trusted reverse proxy (e.g., a
load balancer) is between the client and server. It's possible any part (or the entirety) of the
header may have been spoofed (and may not be a list or contain IP addresses at all). Any
security-related use of
X-Forwarded-For (such as for rate limiting or IP-based
access control) must only use IP addresses added by a trusted proxy.
Using untrustworthy values can result in rate-limiter avoidance, access-control bypass, memory exhaustion,
or other negative security or availability consequences.
Changing X-Forwarded-For request header
Using ModHeader, you can easily modify the
X-Forwarded-For header using
the following steps:
- Click on , and select Request header
X-Forwarded-Forrequest header with a fake IP address.
- Now visit your web server and check the logs to see if your server is blinding trusting the
X-Forwarded-Forheader. If it is, you may want to update your web server to not blindly trusting