Skip to content

Single IP Headers

Jump to bottom
Adam Pritchard edited this page Mar 25, 2022 · 3 revisions

Terminology:

Client socket IP: The IP address of the client connecting directly to the first reverse proxy (e.g., to the cloud provider's edge). This is a trustworthy value.

Cloudflare

CF-Connecting-IP (for everyone) and True-Client-IP (for Enterprise customers with backwards compatibility requirements) are synonyms. They are set to the client socket IP.

https://developers.cloudflare.com/fundamentals/get-started/http-request-headers/

Azure

X-Azure-ClientIP: Represents the client IP address associated with the request being processed. For example, a request coming from a proxy might add the X-Forwarded-For header to indicate the IP address of the original caller.

X-Azure-SocketIP: Represents the socket IP address associated with the TCP connection that the current request originated from. A request's client IP address might not be equal to its socket IP address because the client IP can be arbitrarily overwritten by a user.

So, X-Azure-ClientIP is the leftmost-ish XFF IP and X-Azure-SocketIP is the client socket IP.

https://docs.microsoft.com/en-us/azure/frontdoor/front-door-http-headers-protocol

Fastly

Fastly-Client-IP gets the client socket IP.

However:

The value is not protected from modification at the edge of the Fastly network, so if a client sets this header themselves, we will use it. If you want to prevent this [you need to do some additional configuration].

So, by default Fastly-Client-IP is trivially spoofable. Make sure you do the additional configuration to make it trustable. And then test to make sure you configured it properly.

https://developer.fastly.com/reference/http/http-headers/Fastly-Client-IP/

Akamai

True-Client-IP gets the leftmost, untrustworthy X-Forwarded-For IP address. It also does not get replaced if the header is already present in the request. It is trivially spoofable.

https://community.akamai.com/customers/s/article/Difference-Between-Akamai-True-Client-IP-header-and-Default-X-Forwarded-For

Others

X-Real-IP is a common single-IP header. It seems to be used often with Nginx. ngx_http_realip_module can be used to set derive it from X-Forwarded-For using a rightmost-trusted-range strategy like:

set_real_ip_from  192.168.0.0/16;
real_ip_header    X-Forwarded-For;
real_ip_recursive on;
proxy_set_header  X-Real-IP $remote_addr;

(That config is not test at all. Someone who knows Nginx should check it.)

X-Client-IP is used in the Apache server mod_remoteip docs, but it seems to be configurable.

Clone this wiki locally