This is the sixth day of my participation in the August Challenge. For details, see:August is more challenging

X-forwarded-for and several related headers in the HTTP request header

Lately, I’ve been thinking about fighting hackers. Recently, I came up with a question: what should I do if a hacker visits my website maliciously? Of course. With my temper, I’d find him and give him a hug! So the question is, how do we find him? So, I went online and found that there are several headers in HTTP that are about access address records.


Is the IP address of the last request from the proxy server or directly from the client (if there is no proxy server in between); It can’t be forged, because TCP is established by a three-way handshake. If the source IP is forged, TCP cannot be established, so it’s pointless to forge remote_ADDR.


A custom header, x-real-ip is commonly used by HTTP proxies to represent the Ip address of the device with which it generates a TCP connection, which may be another proxy or the actual requestor. It is important to note that X-real-IP does not currently belong to any standard, and any custom header can be agreed between the proxy and the Web application to pass this information

X-forwarded-for (what is received may not always be true)

This is an extension header. This is the only header that can get the client’s IP address if you have a proxy server. His request header format is:

Copy the code

For example, if an HTTP request passes through three proxies before reaching the server, the final information obtained by the server is as follows:

Copy the code

The first ip0 is the address requested by the real client, followed by the nearest 1,2 proxy servers.

So why is the IP of the last proxy server not in the record? It starts with its workflow!

Throughout the HTTP request, each server logs the information passed from the previous server, appends the information from the previous server, and passes the messages to the next server. In the same way, the last server only appended the previous server information to all the previous proxy server information, and did not put its own information in, and then directly sent to the server. As a result, the entire request header contains information about all proxy servers passed during the HTTP request process, but there is no information about the address of the last proxy server. What should we do if we want to get the information about the last proxy server? We can retrieve this using the remote_ADDR field (the information in the above discussion refers to the information in the request header).

It looks like the X-Forwarded-for plugin can then customize its own X-forward-for header IP. Therefore, it is better to get the visitor IP through the client with its own IP. The IP address carried in the request header allows us to find the real visitor’S IP, but this address can also be forged. For example, you can download a Firefox plugin called X-Forwarded-for and customize your own X-forward-for header. Therefore, it is better to get the visitor IP through the client with its own IP. So this time and hacker’s association battle, I lost, or I too dish chicken!!