X-Forwarded-For

The originating IP address of a client request.

Fastly reads this header from requests and writes it into requests. It is defined by an external standard.

For VCL services, Fastly will add or append X-Forwarded-For headers on incoming requests over TLS, as follows:

  • The client IP – if the request protocol is TLS.
  • The edge IP – if the origin has a TLS configuration and shielding is enabled.
  • Even if client connection is TLS, unless the origin connection is over TLS, nothing will be added or appended at the shield.

The value is not protected from modification at the edge of the Fastly network, so if a client sets this header itself, we will use it. If you want to prevent this, set the value yourself in VCL:

vcl_rec
Fastly VCL
if (fastly.ff.visits_this_service == 0 && req.restarts == 0) {
set req.http.X-Forwarded-For = client.ip;
}

Examples

ShieldingRequest ProtocolOrigin ProtocolClient HeaderX-Forwarded-ForNote
NoTLSTLSNo210.191.60.193Added at edge
NoNon TLSTLSNonull
NoTLSTLSYes1.1.1.1, 210.191.60.193Appended
NoNon TLSTLSYes1.1.1.1Pass-through
NoTLSNon TLSNo210.191.60.193Added at edge
NoNon TLSNon TLSNonull
NoTLSNon TLSYes1.1.1.1, 210.191.60.193Appended
NoNon TLSNon TLSYes1.1.1.1Pass-through
YesTLSTLSNo118.6.192.181, 157.52.91.44Added at edge (client IP) and shield (edge IP)
YesNon TLSTLSNo157.52.91.44Added at shield (edge IP)
YesTLSTLSYes1.1.1.1, 118.6.192.181, 43.249.72.30Added at edge (client IP) and shield (edge IP)
YesNon TLSTLSYes1.1.1.1, 157.52.91.44Added at shield (edge IP)
YesTLSNon TLSNo118.6.192.181Added at edge (client IP)
YesNon TLSNon TLSNonull
YesTLSNon TLSYes1.1.1.1, 118.6.192.181Added at edge (client IP)
YesNon TLSNon TLSYes1.1.1.1Pass-through

Overriding multiple entries

To set a single value for this header, add the following to vcl_miss and vcl_pass:

set bereq.http.X-Forwarded-For = client.ip;