2 comments

[ 3.0 ms ] story [ 19.4 ms ] thread
One thing to add, never trust this header. Anyone can set this header contents to anything. If setting a real-ip header inside your data-center, use a custom header and drop it at the ingress so people can not falsify their IP. If logging X-Forwarded-For, log in addition to and not instead of the remote_addr otherwise you will get smart-asses like me being logged as "chuck-norris".
I remember back in the 90s that Squid was adding this header while acting as a forward proxy. This header was sent across the internet years before someone have ever dreamed of the concept of a "reverse" proxy. I have not fact-checked but I am pretty sure it is older than IPv6 and the original standard was to add this header at the origin and send it across the whole internet.