X-Forwarded-For
The X-Forwarded-For (XFF) request header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through a proxy server.
When a client connects directly to a server, the client's IP address is sent to the server (and is often written to server access logs). But if a client connection passes through any forward or reverse proxies, the server only sees the final proxy's IP address, which is often of little use. So, to provide a more useful client IP address to the server, the X-Forwarded-For request header is used.
HTTP Proxy can understand and parse related headers however there is a need to add X-Forwarded-For HTTP Header to packages that were sent by the client. Usually, Load Balancers handle this process. If Load Balancer adds this header to the client’s requests before it forwards to HTTP Proxy, then HTTP Proxy parses the header, and the real client IP address can be shown in HTTP Proxy Logs instead of the Load Balancer IP address.
The following steps should be followed to benefit from this feature:
- sudo vi /u01/http-proxy/conf/http_proxy.properties
- http.proxy.client.ip.header=X-Forwarded-For
- :wq!
- sudo systemctl restart pam-http
If the page to be accessed by the client uses the HTTP protocol, the Load Balancer can add this tag to the plain text transmitted packets. However, if the page to be accessed through the HTTP proxy uses the HTTPS protocol, since the incoming packets will be in encrypted form, these packets must be decrypted on the Load Balancer and then re-encrypted on the Load Balancer and sent to the HTTP Proxy after the relevant header is added. This process can only be done by SSL Offloading on the Load Balancer. To avoid complex configurations, the most suitable method for transmitting the client IP address directly to the HTTP Proxy over the Load Balancer would be to run the Load Balancer in transparent mode.