client.ip

IP, read-only.

Available in all subroutines.

The IP address of the client making the HTTP request. May be an IPv4 or IPv6 address.

When a request is first handled by a Fastly data center, client.ip represents the IP of the end user. In configurations that use shielding, however, the value of client.ip when the request is processed by the shield data center will be the IP of the edge data center.

Fastly automatically sets a Fastly-Client-IP header as a copy of the initial value of client.ip, and this is therefore one means of accessing the original client IP upstream of the edge data center. However, this header is not protected and can be spoofed as part of the client's initial request.

To prevent spoofing of the value of Fastly-Client-IP, set it explicitly in VCL:

if (fastly.ff.visits_this_service == 0 && req.restarts == 0) {
set req.http.Fastly-Client-IP = client.ip;
}

A common use of client.ip is to enforce access control against an access control list.

Try it out

client.ip is used in the following code examples. Examples apply VCL to real-world use cases and can be deployed as they are, or adapted for your own service. See the full list of code examples for more inspiration.

Click RUN on a sample below to provision a Fastly service, execute the code on Fastly, and see how the function behaves.

Client public IP API at the edge

Quickly fetch the user's public IP from an API endpoint on your own domain, with no origin.

Custom condition for triggering WAF

The web application firewall runs only on traffic to your origin, but you can further refine when it should be invoked.