"X-Forwarded-For" HTTP Header Behavior in Proxy Chain Environments

book

Article ID: 169846

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The "X-Forwarded-For" HTTP header contains the IP of the client that performed a specific HTTP request. This header is used by proxies or other devices to apply policies to HTTP traffic where the IP of the incoming message does not match the source client IP.

In a ProxySG, the X-Forwarded-For HTTP header can be used as a Source condition in the Visual Policy Manager (VPM) to apply policy specific requests. The ProxySG can also add an X-Forwarded-For header as described in article TECH241700 in order to append the client's IP to the proxy's outbound request.

The purpose of this article is to explain how the proxy behaves when we have two proxies in a chain environment and both of them have the X-Forwarded-For header enabled.

Resolution

In a common proxy chain deployment, there are typically two or more proxies within the topology. For this example we will refer to two proxies, "Proxy 1" (Internal proxy) and "Proxy 2" (External proxy).

 

Given this scenario, if we enable the "X-Forwarded-For" header feature in both proxies via the Command Line Interface (CLI), the following will occur:

  1. Proxy 1 receives an HTTP request and adds the X-Forwarded-For header then sends the HTTP request to Proxy 2.
  2. Proxy 2 will see that it the HTTP request already has this header, so it will leave it as it is, without changing it.
  3. Proxy 2 will then create the outbound HTTP request. This request will contain the X-Forwarded-For header that was added in Proxy 1, unmodified.