82

I understand that a header HTTP_X_FORWARDED_FOR is set by proxy servers to identify the ip-address of the host that is making the HTTP request through the proxy. I've heard claims that the header HTTP_CLIENT_IP is set for similar purposes.

  1. What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR?
  2. Why would one have different values than the other?
  3. Where can I find resources on the exact definition of these headers.
Improve this question

1 Answer 1

Reset to default
72

Neither of these headers are officially standardised. Therefore:

  1. What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR? - it is impossible to say. Different proxies may implement these, or may not. The implementations may vary from one proxy to the next, and they may not. A lack of a standard breeds question marks.
  2. Why would one have different values than the other? - See point 1. However, from a purely practical point of view, the only reason I can see for these having different values is if more than one proxy was involved - the X-Forwarded-For: header might then contain a complete track of the forwarding chain, whereas the Client-IP: header would contain the actual client IP. This is pure speculation, however.
  3. Where can I find resources on the exact definition of these headers. - You can't. See point 1.

There does seem to be some kind of de-facto standard regarding the X-Forwarded-For: header, but given that there is no RFC that defines it this cannot be relied upon see comment below.

As a side note, the Client-IP: header should by convention be X-Client-IP: since it is a 'user-defined' header.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

It does seem to have an RFC now: tools.ietf.org/html/draft-petersson-forwarded-for-02. Although still in draft it seems.
RFC 7239 is no more a draft: tools.ietf.org/html/rfc7239 Seems the future standard to replace both X-Forwarded-Forand X-Client-IP.
Useful 1) stackoverflow.com/questions/6914457/… 2) IIS7/8: Logging the real client IP in the IIS hit logs blogs.iis.net/deanc/… 3) Advanced Logging iis.net/downloads/microsoft/advanced-logging 4) loadbalancer.org/blog/iis-and-x-forwarded-for-header 5) iis.net/learn/get-started/whats-new-in-iis-85/…
Proposed standard is here from 2014: tools.ietf.org/html/rfc7239

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.