Security 101: X-Forwarded-For vs. Forwarded vs PROXY

david@systemoverlord.com (David Tomaschik) — Wed, 25 Mar 2020 00:00:00 +0000

Over time, there have been a number of approaches to indicating the original client and the route that a request took when forwarded across multiple proxy servers. For HTTP(S), the three most common approaches you’re likely to encounter are the X-Forwarded-For and Forwarded HTTP headers, and the PROXY protocol. They’re all a little bit different, but also the same in many ways.

X-Forwarded-For

X-Forwarded-For is the oldest of the 3 solutions, and was probably introduced by the Squid caching proxy server. As the X- prefix implies, it’s not an official standard (i.e., an IETF RFC). The header is an HTTP multi-valued header, which means that it can have one or more values, each separated by a comma. Each proxy server should append the IP address of the host from which it received the request. The resulting header looks something like:

Martian Packet Messages

david@systemoverlord.com (David Tomaschik) — Sun, 06 Nov 2011 02:36:13 +0000

Occasionally, you might see messages like the following in your Linux kernel messages:

martian source 192.168.1.1 from 127.0.0.1, on dev eth1<br />
        ll header: 52:54:00:98:99:d0:52:54:00:de:d8:10:08:00

There's a lot of discussion out there about what this means, but not a lot about how to trace down the source. Hopefully this will provide some insight into what the messages actually mean, and how to understand them.

Networking on System Overlord

Security 101: X-Forwarded-For vs. Forwarded vs PROXY

X-Forwarded-For

Martian Packet Messages