HTTP Request Headers
HTTP(S) Endpoints set standard HTTP headers to identify the original IP address of clients making requests to your Apps and the protocol they used:
📘 Aptible Endpoints only allows headers composed of English letters, digits, hyphens, and underscores. If your App headers contain characters such as periods, you can allow this with
aptible config:set --app "$APP_HANDLE" "IGNORE_INVALID_HEADERS=off".
This represents the protocol the end-user used to connect to your app. The value can be
This represents the IP Address of the end-user connected to your App.
X-Forwarded-For header is structured as a comma-separated list of IP addresses. It is generated by proxies that handle the request from an end-user to your app (each proxy appends the client IP they see to the header).
Here are a few examples:
ALB Endpoint, users connect directly to the ALB
In this scenario, the request goes through two hops when it enters Aptible: the ALB, and an Nginx proxy. This means that the ALB will inject the client's IP address in the header, and Nginx will inject the ALB's IP address in the header.
In other words, the header will normally look like this:
However, be mindful that end-users may themselves set the
X-Forwarded-For in their request (typically if they're trying to spoof some IP address validation performed in your app). This means the header might look like this:
When processing the
X-Forwarded-For header, it is important that you always start from the end and work you way back to the IP you're looking for. In this scenario, this means you should look at the second-to-last IP address in the
ALB Endpoint, users connect through a CDN
Assuming your CDN only has one hop (review your CDN's documentation for
X-Forwarded-For if you're unsure), the
X-Forwarded-For header will look like this:
Similarly to the example above, keep in mind that the user can inject arbitrary IPs at the head of the list in the
X-Forwarded-For header. For example, the header could look like this:
So, in this case, you need to look at the third-to-last IP address in the
ELB Endpoints have one less hop than ALB Endpoints. In this case, the client IP is the last IP in the