X-Forwarded-For Header Clean Up

When you have a web application that needs to use IP addresses of the client, you can either use transparency or enable the X-Forwarded-For feature on the LoadMaster.

The most important issue is that the IP address of the client connecting to your web server is always that of the LoadMaster and not that of the client connecting.

The user connects to the LoadMaster and the LoadMaster connects to your web application; therefore, your web application always sees the same IP address.

IP addresses are used for all kinds of security measures. They are used for seeding secret strings in cookies in PHP. They are used for performing flood detection. They are used for brute force detection and lockouts. IP addresses are used all the time. But what happens when all the IP addresses look the same?

To work around that, there is a header called the X-Forwarded-For header, that can look like a lot of random things. It can look like any of the following:




X-Forwarded-For: localhost,

Because it is an optional header it can contain random things. Sometimes those things are real IP addresses and sometimes it just contains garbage. Either way, the X-Forwarded-For header is the best header to use to include the client’s source IP address.

The LoadMaster appends the IP address of the user who is connecting to them onto the end of the string that they receive (or create a new string if there is not one already) and pass that to the web-server.

The web-server then takes that information and parses apart the string to grab the last IP address and intelligently replaces the IP address of the proxy with the IP address listed in the X-Forwarded-For header.

Creating a content rule on the LoadMaster removes all data that precedes the last IP address that is in the X-Forwarded-For header making it easier for your web server to parse the X-Forwarded-For header.


Rule Type:                                                      Replace Header

Header Field:                                                  X-fOrWaRdEd-FoR

Match String:                                                  /,\s*(\d+\.\d+\.\d+\.\d+)$/

Value of Header Field to be replaced:           \1

Apply the rule to the Virtual Service under Advanced Properties > HTTP Header Modifications > Request Rules.


This rule works best if the LoadMaster is configured to inject the X-Forwarded-For header:

System Configuration > Miscellaneous Options > L7 Configuration > Additional L7 Header > X-Forwarded-For


If the LoadMaster is not injecting this header, and the LoadMaster receives a request that contains the the X-Forwarded-For header, it simply passes it along to the web server.  To mitigate this, create a content rule to delete the X-Forwarded-For header.


Was this article helpful?

0 out of 0 found this helpful