X-Forwarded-For
The originating IP address of a client request.
Fastly reads this header from requests and writes it into requests. It is defined by an external standard.
For VCL services, Fastly will add or append X-Forwarded-For
headers on incoming requests over TLS, as follows:
- The client IP – if the request protocol is TLS.
- The edge IP – if the origin has a TLS configuration and shielding is enabled.
- Even if client connection is TLS, unless the origin connection is over TLS, nothing will be added or appended at the shield.
Examples
Shielding | Request Protocol | Origin Protocol | Client Header | X-Forwarded-For | Note |
---|---|---|---|---|---|
No | TLS | TLS | No | 210.191.60.193 | Added at edge |
No | Non TLS | TLS | No | null | |
No | TLS | TLS | Yes | 1.1.1.1, 210.191.60.193 | Appended |
No | Non TLS | TLS | Yes | 1.1.1.1 | Pass-through |
No | TLS | Non TLS | No | 210.191.60.193 | Added at edge |
No | Non TLS | Non TLS | No | null | |
No | TLS | Non TLS | Yes | 1.1.1.1, 210.191.60.193 | Appended |
No | Non TLS | Non TLS | Yes | 1.1.1.1 | Pass-through |
Yes | TLS | TLS | No | 118.6.192.181, 157.52.91.44 | Added at edge (client IP) and shield (edge IP) |
Yes | Non TLS | TLS | No | 157.52.91.44 | Added at shield (edge IP) |
Yes | TLS | TLS | Yes | 1.1.1.1, 118.6.192.181, 43.249.72.30 | Added at edge (client IP) and shield (edge IP) |
Yes | Non TLS | TLS | Yes | 1.1.1.1, 157.52.91.44 | Added at shield (edge IP) |
Yes | TLS | Non TLS | No | 118.6.192.181 | Added at edge (client IP) |
Yes | Non TLS | Non TLS | No | null | |
Yes | TLS | Non TLS | Yes | 1.1.1.1, 118.6.192.181 | Added at edge (client IP) |
Yes | Non TLS | Non TLS | Yes | 1.1.1.1 | Pass-through |
Overriding multiple entries
To set a single value for this header, add the following to vcl_miss
and vcl_pass
:
set bereq.http.X-Forwarded-For = client.ip;