Oracle Cloud Infrastructure Documentation

HTTP "X-" Headers

HTTP requests and responses often include header fields that provide contextual information about the message. RFC 2616 defines a standard set of HTTP header fields. Some non-standard header fields, which begin with X-, are common. The Load Balancing service adds or modifies the following X- headers when it passes requests to your servers.

X-Forwarded-For

Provides a list of connection IP addresses.

The load balancer appends the last remote peer address to the X-Forwarded-For field from the incoming request. A comma and space precede the appended address. If the client request header does not include an X-Forwarded-For field, this value is equal to the X-Real-IP value. The original requesting client is the first (left-most) IP address in the list, assuming that the incoming field content is trustworthy. The last address is the last (most recent) peer, that is, the machine from which the load balancer received the request. The format is:

X-Forwarded-For: <original_client>, <proxy1>, <proxy2>

Example incoming field:

X-Forwarded-For: 202.1.112.187

Example field with appended proxy IP address:

X-Forwarded-For: 202.1.112.187, 192.168.0.10

X-Forwarded-Host

Identifies the original host and port requested by the client in the Host HTTP request header. This header helps you determine the original host, since the hostname or port of the reverse proxy (load balancer) might differ from the original server handling the request.

X-Forwarded-Host: www.oracle.com:8080

X-Forwarded-Port

Identifies the listener port number that the client used to connect to the load balancer. For example:

X-Forwarded-Port: 443

X-Forwarded-Proto

Identifies the protocol that the client used to connect to the load balancer, either http or https. For example:

X-Forwarded-Proto: https

X-Real-IP

Identifies the client's IP address. For the Load Balancing service, the "client" is the last remote peer.

Your load balancer intercepts traffic between the client and your server. Your server's access logs, therefore, include only the load balancer's IP address. The X-Real-IP header provides the client's IP address. For example:

X-Real-IP: 192.168.0.10