Citrix Netscaler XFF Header

Netscaler Load Balancer | By

001 Understanding X-Forwarded-For (XFF) Header

 

X-Forwarded-For is like a tagging system where each proxy/load balancer adds its mark to document the request’s journey, and the final destination reads those tags to understand where the request really came from.

It’s Like Adding a Shipping Label

Think of the HTTP request as a package:

  • Original package: Comes from the client with no special tags

  • First proxy (Netscaler): Adds a tag: “Originally from: Client_IP”

  • Next proxy: Adds another tag: “Then via: Previous_Proxy_IP”

  • Final destination: Reads all the tags to understand the journey

What is the X-Forwarded-For (XFF) Header?

 

The X-Forwarded-For (XFF) header is a de-facto standard header used to identify the original client IP address when a request passes through one or more proxy servers, load balancers, or CDNs (Content Delivery Networks) before reaching the final web server.

In simpler terms: It’s a way for the final server to know “who originally sent this request,” even though the connection directly came from a proxy.

Why is this needed?
Without XFF, a web server only sees the IP address of the last machine that connected to it (usually the proxy or load balancer). The original client’s IP is lost.

Is it Added Automatically?

 

Yes, but not by the client’s browser or the operating system.

  • The Client’s Browser: Does NOT add the X-Forwarded-For header. It has no knowledge of the proxies in front of it.

  • The Proxy/Load Balancer: This is the component that automatically adds the header.

    • When a proxy receives a request, it checks if an X-Forwarded-For header already exists.

    • If it does not exist, the proxy creates the header and sets its value to the IP address of the client it received the request from.

    • If it already exists, the proxy appends the client’s IP address to the end of the existing list.

Can the Linux OS or Web Server See It?

This is a crucial distinction.

Can the Linux OS (Kernel) see it?

Generally, No.

The X-Forwarded-For header is an HTTP header. It exists at the Application Layer (Layer 7) of the network stack. The Linux kernel’s network stack operates primarily at lower layers (Transport Layer 4 – TCP/UDP, and Network Layer 3 – IP). Standard tools like netstat or ss that show network connections will only see the direct IP address of the connecting proxy, not the HTTP headers.

Can the Web Server see it?

Yes, Absolutely.

Web servers (like ApacheNginx) and web applications (written in PHP, Python, Node.js, Java, etc.) operate at the Application Layer and are designed to parse and read all HTTP headers, including X-Forwarded-For.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe