About X-Forwarded-For HTTP Headers

The X-Forwarded-For (XFF) HTTP header is a de facto standard for identifying the originating IP address of a client connecting to a Web server through an HTTP proxy or load balancer. X-Forwarded-For header are supported by most proxy servers, and IPv6 X-Forward-For headers are supported in IWSVA. The headers can be parsed to access the client’s IPv6 addresses similar to the behavior of IPv4 addresses.

IWSVA also handles three actions for IPv6 access similar to IPv4, including the “Keep X-Forwarded-For header intact" feature, the "Append the IP address where IWSVA receives the request" feature, and the "strip X-Forwarded-For header" feature.

When IWSVA receives an HTTP request with an XFF header, it parses the XFF header to get the original client IP address and use the IP address to do a policy match.
When IWSVA forwards an HTTP request, it takes the action configured by the administrator on the XFF HTTP header.
Note: IWSVA does not support parsing XFF headers for HTTPS traffic.

See the following table to learn how the deployment mode affects the use of XFF HTTP headers.

Deployment Mode	Parses XFF	Action: Add	Action: Keep	Action: Remove	Notes
Forward Proxy	Yes	Yes	Yes	Yes
Bridge	Yes	N/A	Yes	Yes	This mode is transparent and does not need to add an IP address in the header.
WCCP	Yes	Yes	Yes	Yes
Simple Transparency	Yes	Yes	Yes	Yes
ICAP	N/A	N/A	N/A	N/A	IWSVA acts as an ICAP server. It does not communicate with the client and server. The IP address is provided by the ICAP client with an X-Client-IP header
Reverse Proxy	N/A	N/A	N/A	N/A	XFF HTTP headers are not supported in this mode.

About X-Forwarded-For HTTP Headers

See also: