424,303 Members | 1,339 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,303 IT Pros & Developers. It's quick & easy.

HTTP_X_FORWARDED_FOR ?

P: n/a
Is there any official documentation on Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

Thanks,

Vic


Sep 6 '06 #1
Share this Question
Share on Google+
3 Replies


P: n/a

"Victor" <vi*@vic.comwrote in message
news:u3**************@TK2MSFTNGP02.phx.gbl...
Is there any official documentation on
Request.ServerVariables("HTTP_X_FORWARDED_FOR")
>
Googling I've found everyone repeating the same information - claiming
that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and
that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes
HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP
addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire
string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through
the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?
The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.
Thanks,

Vic


Sep 7 '06 #2

P: n/a
"Anthony Jones" wrote...
>
"Victor" wrote...
Is there any official documentation on
Request.ServerVariables("HTTP_X_FORWARDED_FOR")

Googling I've found everyone repeating the same information - claiming that
HTTP_X_FORWARDED_FOR is the real IP address if a proxy is being used, and
that if it
contains a value then it's the real IP address of the visitor.

But this isn't consistent with what I am seeing. Sometimes
HTTP_X_FORWARDED_FOR contains
a single IP value, but I am also seeing it contain a LIST of IP
addresses - I'm seeing
this:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

where two IP addresses are separated by a comma. Of course, that entire
string for
HTTP_X_FORWARDED_FOR is not a valid IP address, so what the correct IP?

Some websites say you take the first IP address, others say loop through
the addresses &
see if one matches the Class B domain of the REMOTE_ADDR IP address...

Ack!

Is there any "official" docs on this?

The x-forwarded-for header is not a standard http header (hence the x-
prefix). It is an attempt by the big proxy server vendors to help ISPs
identify and block abusive IP addresses.

If there are two proxy servers between the client and your server you will
see two IP addresses in the x-forwarded-for header, the clients and one of
the proxy servers. As the requests moves through a proxy server the IP
address of requester is append to the x-forwarded-for header. Hence the
first IP address will be the original client IP and there can be any number
of IP addresses depending on how many proxy servers it passes through.

Anthony.
Ah! So, if Request.ServerVariables("HTTP_X_FORWARDED_FOR") is not empty, and if it
contains a comma seperated list of IP addresses, then the very first IP address is the
user's real IP address? So, in my original example:

HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

the user's IP address is definitely IPaddress1?

Since it is not a standard, is there a draft document I can reference?

Thanks,

Vic

Sep 8 '06 #3

P: n/a
Victor wrote:
HTTP_X_FORWARDED_FOR = IPaddress1, IPaddress2
REMOTE_ADDR = IPaddress3

the user's IP address is definitely IPaddress1?
No. It *might* be, but there is no reason to assume so. That header is
easily spoofed, for one thing. for another, this content differs by proxy
type:

http://www.usemod.com/cgi-bin/mb.pl?AnonymousProxy

--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms.
Sep 8 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.