77

I understand that a header HTTP_X_FORWARDED_FOR is set by proxy servers to identify the ip-address of the host that is making the HTTP request through the proxy. I've heard claims that the header HTTP_CLIENT_IP is set for similar purposes.

  1. What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR?
  2. Why would one have different values than the other?
  3. Where can I find resources on the exact definition of these headers.
Thibault
  • 1,566
  • 15
  • 22
Ethan Heilman
  • 16,347
  • 11
  • 61
  • 88

1 Answers1

72

Neither of these headers are officially standardised. Therefore:

  1. What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR? - it is impossible to say. Different proxies may implement these, or may not. The implementations may vary from one proxy to the next, and they may not. A lack of a standard breeds question marks.
  2. Why would one have different values than the other? - See point 1. However, from a purely practical point of view, the only reason I can see for these having different values is if more than one proxy was involved - the X-Forwarded-For: header might then contain a complete track of the forwarding chain, whereas the Client-IP: header would contain the actual client IP. This is pure speculation, however.
  3. Where can I find resources on the exact definition of these headers. - You can't. See point 1.

There does seem to be some kind of de-facto standard regarding the X-Forwarded-For: header, but given that there is no RFC that defines it this cannot be relied upon see comment below.

As a side note, the Client-IP: header should by convention be X-Client-IP: since it is a 'user-defined' header.

BenMorel
  • 34,448
  • 50
  • 182
  • 322
DaveRandom
  • 87,921
  • 11
  • 154
  • 174
  • 10
    It does seem to have an RFC now: http://tools.ietf.org/html/draft-petersson-forwarded-for-02. Although still in draft it seems. – kvn Mar 21 '12 at 19:53
  • 5
    RFC 7239 is no more a draft: https://tools.ietf.org/html/rfc7239 Seems the future standard to replace both `X-Forwarded-For`and `X-Client-IP`. – François Sep 30 '15 at 02:56
  • 2
    ***Useful*** _1)_ http://stackoverflow.com/questions/6914457/why-does-servervariableremote-addr-returns-the-server-ip _2) IIS7/8: Logging the real client IP in the IIS hit logs_ https://blogs.iis.net/deanc/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs _3) Advanced Logging_ https://www.iis.net/downloads/microsoft/advanced-logging _4)_ http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header _5)_ https://www.iis.net/learn/get-started/whats-new-in-iis-85/enhanced-logging-for-iis85 – Kiquenet Nov 15 '16 at 10:35
  • Proposed standard is here from 2014: https://tools.ietf.org/html/rfc7239 – AbsoluteƵERØ Aug 12 '17 at 16:57