Greetings, The expected format for all XFF headers is that there's only ONE XFF header. Every proxy server appends the client IP to the end of the XFF IP list.
e.g. my IP: 10.0.0.1 proxy A: 202.41.76.251 Proxy B: 128.10.2.10 (let's say this is Pound) webserver: 172.16.10.1 the webserver should receive an XFF header line as: X-Forwarded-For: 10.0.0.1, 202.41.76.251 That's how all servers and log analyzers and plugins expect it. Multiline XFFs aren't the norm, and shouldnt be encouraged -- Saumil --- On Sun, 9/13/09, Iñaki Baz Castillo <[email protected]> wrote: > From: Iñaki Baz Castillo <[email protected]> > Subject: Re: [Pound Mailing List] Pound: "X-Forwarded-For" should be deleted > if present in the request > To: [email protected] > Cc: "Dave Steinberg" <[email protected]> > Date: Sunday, September 13, 2009, 7:30 AM > El Sábado, 12 de Septiembre de 2009, > Dave Steinberg escribió: > > > X-Forwarded-For: 1.2.3.4 > > > X-Forwarded-For: 87.218.216.202 > > > > I believe that's legal, and is equivalent to: > > > > X-Forwarded-For: 1.2.3.4, 87.218.216.202 > > > > Possibly the IPs in my example are reversed - I'm not > sure. The point > > I'm making is that if you require only a single IP to > be in your > > X-Forwarded-For header, you should use HeadRemove as > you mentioned. > > > > The multiple-IP version is legal / arguably desirable > in the case of > > multiple intermediate proxies. Think ISP-level > web accelerator in front > > of an end-user. > > Yes, it makes sense but then each X-Forwarded-For header > added by each proxy > should be on top of others. In the example I wrote: > > The request arriving to Pound: > > T 2009/09/12 21:49:44.271221 87.218.216.202:52448 -> > 99.122.79.215:9080 [AP] > GET /xcap-root/pres-rules/users/i...@qwe/presrules HTTP/1.1 > Content-Length: 0 > X-Forwarded-For: 1.2.3.4 > > > The request forwarded by Pound to the web server: > > T 2009/09/12 21:49:44.271452 127.0.0.1:36734 -> > 127.0.0.1:80 [AP] > GET /xcap-root/pres-rules/users/i...@qwe/presrules HTTP/1.1 > Content-Length: 0 > X-Forwarded-For: 87.218.216.202 <--- ON TOP > X-Forwarded-For: 1.2.3.4 > > > I'm used to SIP protocol in which there are scenarios with > multiple proxies > adding headers (as "Via" and "Record-Route" header). When a > proxy adds a Via > or Record-Route header it *must* write it on top of > existing Via/Record-Route > headers. I expect that in HTTP it should be the same as SIP > is "based" on > HTTP. > > Regards. > > > -- > Iñaki Baz Castillo <[email protected]> > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for > questions. > -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
