If you’re like many of our clients, you not only want to retrieve the original client IP for your web server logs, but you want to use them in code as well… for example, to track invalid login attempts, or record the IP in a database for online payments etc. (NOTE: If you need the IP for logging, check out this article)

NOTE: This only works with the HTTP protocol and, of course, HTTP traffic. It will not work with SSL_BRIDGE or TCP etc. It CAN work with SSL traffic provided you’ve installed a SSL Certificate so we can first decrypt, then insert the header, then re-encrypt.

First, you must enable the X-Forwarded-For header by editing your server(s). In the settings dialog you will see the “Use client IP header” option. Enable it and then specify the header name “X-Forwarded-For” as shown in the screen capture below:

x-forwarded-for configuration

Okay, now that you’ve completed that step, you are ready to extract it within your code. Here are some examples for common programming languages:

.NET C#

Since X-Forwarded-For can return multiple IP addresses on occasion (if you have multiple proxies in front of your web server), this sample code will extract the first IP, which is generally the original client IP, whether an array is returned or not.


public static string GetUserIP() {
var ip = ( HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null
&& HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != "" )
? HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"]
: HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"];
if (ip.Contains( "," ))
ip = ip.Split( ',' ).First().Trim();
return ip;
}

PHP

Here is an example to simply retrieve the X-Forwarded-For Header. You can find a similar function here if an array of IPs is returned.

$headers = apache_request_headers(); $real_client_ip = $headers["X-Forwarded-For"];

Classic ASP

<%= Request.ServerVariables("HTTP_X_FORWARDED_FOR") %>

JSP

<%= request.getHeader("X-FORWARDED-FOR") %>

If you figure it out for other languages that we haven’t covered here, let us know so we can share with others!

IMPORTANT NOTE: You may have noticed above for the .NET C# and the Classic ASP examples that the code uses HTTP_X_FORWARDED_FOR (that is all upper case and underscores) where the example in the image above uses X-Forwarded-For (that is, mixed case and hyphens). This isn’t a mistake on our part. This is a Microsoft oddity. It really is true that we both need to send (and your Microsoft Server will look for) the proper syntax of X-Forwarded-For and then change it into the custom server variable you see of HTTP_X_FORWARDED_FOR. Strange stuff, right?

Looking for a way to grab the X-Forwarded-For header for logging purposes in Apache, IIS or NGINX? Then check out this article.

Check out our article on Preventing X-Forwarded-For Spoofing or Manipulation too.

If your Cloud provider doesn’t offer customizable X-Forwarded-For capabilities, check out our Cloud Load Balancer!