HTTP_X_FORWARDED_FOR ?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Victor
    #1

    HTTP_X_FORWARDED_FOR ?

    Is there any official documentation on Request.ServerV ariables("HTTP_ X_FORWARDED_FOR ")

    Googling I've found everyone repeating the same information - claiming that
    HTTP_X_FORWARDE D_FOR is the real IP address if a proxy is being used, and that if it
    contains a value then it's the real IP address of the visitor.

    But this isn't consistent with what I am seeing. Sometimes HTTP_X_FORWARDE D_FOR contains
    a single IP value, but I am also seeing it contain a LIST of IP addresses - I'm seeing
    this:

    HTTP_X_FORWARDE D_FOR = IPaddress1, IPaddress2
    REMOTE_ADDR = IPaddress3

    where two IP addresses are separated by a comma. Of course, that entire string for
    HTTP_X_FORWARDE D_FOR is not a valid IP address, so what the correct IP?

    Some websites say you take the first IP address, others say loop through the addresses &
    see if one matches the Class B domain of the REMOTE_ADDR IP address...

    Ack!

    Is there any "official" docs on this?

    Thanks,

    Vic




    Tags: None
    • Anthony Jones
      #2
      Re: HTTP_X_FORWARDE D_FOR ?


      "Victor" <vic@vic.comwro te in message
      news:u3d1VFd0GH A.4016@TK2MSFTN GP02.phx.gbl...
      Is there any official documentation on
      Request.ServerV ariables("HTTP_ X_FORWARDED_FOR ")
      >
      Googling I've found everyone repeating the same information - claiming
      that
      HTTP_X_FORWARDE D_FOR is the real IP address if a proxy is being used, and
      that if it
      contains a value then it's the real IP address of the visitor.
      >
      But this isn't consistent with what I am seeing. Sometimes
      HTTP_X_FORWARDE D_FOR contains
      a single IP value, but I am also seeing it contain a LIST of IP
      addresses - I'm seeing
      this:
      >
      HTTP_X_FORWARDE D_FOR = IPaddress1, IPaddress2
      REMOTE_ADDR = IPaddress3
      >
      where two IP addresses are separated by a comma. Of course, that entire
      string for
      HTTP_X_FORWARDE D_FOR is not a valid IP address, so what the correct IP?
      >
      Some websites say you take the first IP address, others say loop through
      the addresses &
      see if one matches the Class B domain of the REMOTE_ADDR IP address...
      >
      Ack!
      >
      Is there any "official" docs on this?
      >
      The x-forwarded-for header is not a standard http header (hence the x-
      prefix). It is an attempt by the big proxy server vendors to help ISPs
      identify and block abusive IP addresses.

      If there are two proxy servers between the client and your server you will
      see two IP addresses in the x-forwarded-for header, the clients and one of
      the proxy servers. As the requests moves through a proxy server the IP
      address of requester is append to the x-forwarded-for header. Hence the
      first IP address will be the original client IP and there can be any number
      of IP addresses depending on how many proxy servers it passes through.

      Anthony.


      Thanks,
      >
      Vic
      >
      >
      >
      >

        Comment

        • Victor
          #3
          Re: HTTP_X_FORWARDE D_FOR ?

          "Anthony Jones" wrote...
          >
          "Victor" wrote...
          Is there any official documentation on
          Request.ServerV ariables("HTTP_ X_FORWARDED_FOR ")

          Googling I've found everyone repeating the same information - claiming that
          HTTP_X_FORWARDE D_FOR is the real IP address if a proxy is being used, and
          that if it
          contains a value then it's the real IP address of the visitor.

          But this isn't consistent with what I am seeing. Sometimes
          HTTP_X_FORWARDE D_FOR contains
          a single IP value, but I am also seeing it contain a LIST of IP
          addresses - I'm seeing
          this:

          HTTP_X_FORWARDE D_FOR = IPaddress1, IPaddress2
          REMOTE_ADDR = IPaddress3

          where two IP addresses are separated by a comma. Of course, that entire
          string for
          HTTP_X_FORWARDE D_FOR is not a valid IP address, so what the correct IP?

          Some websites say you take the first IP address, others say loop through
          the addresses &
          see if one matches the Class B domain of the REMOTE_ADDR IP address...

          Ack!

          Is there any "official" docs on this?
          >
          The x-forwarded-for header is not a standard http header (hence the x-
          prefix). It is an attempt by the big proxy server vendors to help ISPs
          identify and block abusive IP addresses.
          >
          If there are two proxy servers between the client and your server you will
          see two IP addresses in the x-forwarded-for header, the clients and one of
          the proxy servers. As the requests moves through a proxy server the IP
          address of requester is append to the x-forwarded-for header. Hence the
          first IP address will be the original client IP and there can be any number
          of IP addresses depending on how many proxy servers it passes through.
          >
          Anthony.
          Ah! So, if Request.ServerV ariables("HTTP_ X_FORWARDED_FOR ") is not empty, and if it
          contains a comma seperated list of IP addresses, then the very first IP address is the
          user's real IP address? So, in my original example:

          HTTP_X_FORWARDE D_FOR = IPaddress1, IPaddress2
          REMOTE_ADDR = IPaddress3

          the user's IP address is definitely IPaddress1?

          Since it is not a standard, is there a draft document I can reference?

          Thanks,

          Vic





            Comment

            • Dave Anderson
              #4
              Re: HTTP_X_FORWARDE D_FOR ?

              Victor wrote:
              HTTP_X_FORWARDE D_FOR = IPaddress1, IPaddress2
              REMOTE_ADDR = IPaddress3
              >
              the user's IP address is definitely IPaddress1?
              No. It *might* be, but there is no reason to assume so. That header is
              easily spoofed, for one thing. for another, this content differs by proxy
              type:

              K9Win ✔️ Link Truy Cập Trang Chủ Website Nhà Cái K9Win 2025
              http://www.usemod.com/cgi-bin/mb.pl?AnonymousProxy
              K9Win là nhà cái cá cược trực tuyến hàng đầu châu Á, cung cấp đa dạng trò chơi như thể thao, đá gà, nổ hũ, bắn cá, live casino. Bảo mật cao, ưu đãi hấp dẫn!




              --
              Dave Anderson

              Unsolicited commercial email will be read at a cost of $500 per message. Use
              of this email address implies consent to these terms.


                Comment

                Previous template Next
                Working...