-
Notifications
You must be signed in to change notification settings - Fork 5
Single IP Headers
Terminology:
Client socket IP: The IP address of the client connecting directly to the first reverse proxy (i.e., to the cloud provider's edge). This is a trustworthy value.
CF-Connecting-IP (for everyone) and True-Client-IP (for Enterprise customers with backwards compatibility requirements) are synonyms. They are set to the client socket IP.
https://developers.cloudflare.com/fundamentals/get-started/http-request-headers/
X-Azure-ClientIP: Represents the client IP address associated with the request being processed. For example, a request coming from a proxy might add theX-Forwarded-Forheader to indicate the IP address of the original caller.
X-Azure-SocketIP: Represents the socket IP address associated with the TCP connection that the current request originated from. A request's client IP address might not be equal to its socket IP address because the client IP can be arbitrarily overwritten by a user.
So, X-Azure-ClientIP is the leftmost-ish XFF IP and X-Azure-SocketIP is the client socket IP.
https://docs.microsoft.com/en-us/azure/frontdoor/front-door-http-headers-protocol
Fastly-Client-IP gets the client socket IP.
However:
The value is not protected from modification at the edge of the Fastly network, so if a client sets this header themselves, we will use it. If you want to prevent this [you need to do some additional configuration].
So, by default Fastly-Client-IP is trivially spoofable. Make sure you do the additional configuration to make it trustable. And then test to make sure you configured it properly.
https://developer.fastly.com/reference/http/http-headers/Fastly-Client-IP/
True-Client-IP gets the leftmost, untrustworthy X-Forwarded-For IP address. It also does not get replaced if the header is already present in the request. It is trivially spoofable.