X-Forwarded-For
The originating IP address of a client request.
Fastly reads this header from requests and writes it into requests. It is defined by an external standard.
For VCL services, Fastly will add or append X-Forwarded-For headers on incoming requests over TLS, as follows:
- The client IP – if the request protocol is TLS.
- The edge IP – if the origin has a TLS configuration and shielding is enabled.
- Even if client connection is TLS, unless the origin connection is over TLS, nothing will be added or appended at the shield.
The value is not protected from modification at the edge of the Fastly network, so if a client sets this header itself, we will use it. If you want to prevent this, set the value yourself in VCL:
vcl_rec
Fastly VCL
if (fastly.ff.visits_this_service == 0 && req.restarts == 0) { set req.http.X-Forwarded-For = client.ip;}Examples
| Shielding | Request Protocol | Origin Protocol | Client Header | X-Forwarded-For | Note |
|---|---|---|---|---|---|
| No | TLS | TLS | No | 210.191.60.193 | Added at edge |
| No | Non TLS | TLS | No | null | |
| No | TLS | TLS | Yes | 1.1.1.1, 210.191.60.193 | Appended |
| No | Non TLS | TLS | Yes | 1.1.1.1 | Pass-through |
| No | TLS | Non TLS | No | 210.191.60.193 | Added at edge |
| No | Non TLS | Non TLS | No | null | |
| No | TLS | Non TLS | Yes | 1.1.1.1, 210.191.60.193 | Appended |
| No | Non TLS | Non TLS | Yes | 1.1.1.1 | Pass-through |
| Yes | TLS | TLS | No | 118.6.192.181, 157.52.91.44 | Added at edge (client IP) and shield (edge IP) |
| Yes | Non TLS | TLS | No | 157.52.91.44 | Added at shield (edge IP) |
| Yes | TLS | TLS | Yes | 1.1.1.1, 118.6.192.181, 43.249.72.30 | Added at edge (client IP) and shield (edge IP) |
| Yes | Non TLS | TLS | Yes | 1.1.1.1, 157.52.91.44 | Added at shield (edge IP) |
| Yes | TLS | Non TLS | No | 118.6.192.181 | Added at edge (client IP) |
| Yes | Non TLS | Non TLS | No | null | |
| Yes | TLS | Non TLS | Yes | 1.1.1.1, 118.6.192.181 | Added at edge (client IP) |
| Yes | Non TLS | Non TLS | Yes | 1.1.1.1 | Pass-through |
Overriding multiple entries
To set a single value for this header, add the following to vcl_miss and vcl_pass:
set bereq.http.X-Forwarded-For = client.ip;
User contributed notes
BETADo you see an error in this page? Do have an interesting use case, example or edge case people should know about? Share your knowledge and help people who are reading this page! (Comments are moderated; for support, please contact support@fastly.com)