HTTP Request Headers

HTTP(S) Endpoints set standard HTTP headers to identify the original IP address of clients making requests to your apps, and the protocol they used:

X-Forwarded-Proto

This represents the protocol the end-user used to connect to your app. The value can be http or https.

X-Forwarded-For

This represents the IP Address the end-user connected to your app from.

The X-Forwarded-For header is structured as a comma-separated list of IP addresses. It is generated by proxies that handle the request from an end-user to your app (each proxy appends the client IP they see to the header).

Here are a few examples:

ALB Endpoint, users connect directly to the ALB

In this scenario, the request goes through two hops when it enters Aptible: the ALB, and an Nginx proxy. This means that the ALB will inject the client’s IP address in the header, and Nginx will inject the ALB’s IP address in the header.

In other words, the header will normally look like this: $USER_IP,$ALB_IP.

However, be mindful that end-users may themselves set the X-Forwarded-For in their request (typically if they’re trying to spoof some IP address validation performed in your app). This means the header might look like this: $SPOOFED_IP_A,$SPOOFED_IP_B,$SPOOFED_IP_C,$USER_IP,$ALB_IP.

When processing the X-Forwarded-For header, it is important that you always start from the end, and work you way back to the IP you’re looking for. In this scenario, this means you should look at the second-to-last IP address in the X-Forwarded-For header.

ALB Endpoint, users connect through a CDN

Assuming your CDN only has one hop (review your CDN’s documentation for X-Forwarded-For if you’re unsure), the X-Forwarded-For header will look like this: $USER_IP,$CDN_IP,$ALB_IP.

Similarly to the example above, keep in mind that the user can inject arbitrary IPs at the head of the list in the X-Forwarded-For header. For example, the header could look like this: $SPOOFED_IP_A,$SPOOFED_IP_B,$USER_IP,$CDN_IP,$ALB_IP.

So, in this case, you need to look at the third-to-last IP address in the X-Forwarded-For header.

ELB Endpoint

ELB Endpoints have one less hop than ALB Endpoints. In this case, the client IP is the last IP in the X-Forwarded-For header.