HTTP headers and Application Load Balancers - Elastic Load Balancing
X-Forwarded-ForX-Forwarded-ProtoX-Forwarded-Port
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

HTTP headers and Application Load Balancers

HTTP requests and HTTP responses use header fields to send information about the HTTP messages. HTTP headers are added automatically. Header fields are colon-separated name-value pairs that are separated by a carriage return (CR) and a line feed (LF). A standard set of HTTP header fields is defined in RFC 2616, Message Headers. There are also non-standard HTTP headers available that are automatically added and widely used by the applications. Some of the non-standard HTTP headers have an X-Forwarded prefix. Application Load Balancers support the following X-Forwarded headers.

For more information about HTTP connections, see Request routing in the Elastic Load Balancing User Guide.

X-Forwarded-For

The X-Forwarded-For request header helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs only contain the IP address of the load balancer. To see the IP address of the client, use the routing.http.xff_header_processing.mode attribute. This attribute enables you to modify, preserve, or remove the X-Forwarded-For header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values for this attribute are append, preserve, and remove. The default value for this attribute is append.

Important

The X-Forwarded-For header should be used with caution due to the potential for security risks. The entries can only be considered trustworthy if added by systems that are properly secured within the network.

Processing mode

Append

By default, the Application Load Balancer stores the IP address of the client in the X-Forwarded-For request header and passes the header to your server. If the X-Forwarded-For request header is not included in the original request, the load balancer creates one with the client IP address as the request value. Otherwise, the load balancer appends the client IP address to the existing header and then passes the header to your server. The X-Forwarded-For request header may contain multiple IP addresses that are comma separated.

The X-Forwarded-For request header takes the following form:

X-Forwarded-For: client-ip-address

The following is an example X-Forwarded-For request header for a client with an IP address of 203.0.113.7.

X-Forwarded-For: 203.0.113.7

The following is an example X-Forwarded-For request header for a client with an IPv6 address of 2001:DB8::21f:5bff:febf:ce22:8a2e.

X-Forwarded-For: 2001:DB8::21f:5bff:febf:ce22:8a2e

When the client port preservation attribute (routing.http.xff_client_port.enabled) is enabled on the load balancer, the X-Forwarded-For request header includes the client-port-number appended to the client-ip-address, separated by a colon. The header then takes the following form:

IPv4 -- X-Forwarded-For: client-ip-address:client-port-number
IPv6 -- X-Forwarded-For: [client-ip-address]:client-port-number

For IPv6, note that when the load balancer appends the client-ip-address to the existing header, it encloses the address in square brackets.

The following is an example X-Forwarded-For request header for a client with an IPv4 address of 12.34.56.78 and a port number of 8080.

X-Forwarded-For: 12.34.56.78:8080

The following is an example X-Forwarded-For request header for a client with an IPv6 address of 2001:db8:85a3:8d3:1319:8a2e:370:7348 and a port number of 8080.

X-Forwarded-For: [2001:db8:85a3:8d3:1319:8a2e:370:7348]:8080

Preserve

The preserve mode in the attribute ensures that the X-Forwarded-For header in the HTTP request is not modified in any way before it is sent to targets.

Remove

The remove mode in the attribute removes the X-Forwarded-For header in the HTTP request before it is sent to targets.

If you enable the client port preservation attribute (routing.http.xff_client_port.enabled), and also select preserve or remove for the routing.http.xff_header_processing.mode attribute, the Application Load Balancer overrides the client port preservation attribute. It keeps the X-Forwarded-For header unchanged, or removes it depending on the mode you select, before it sends it to the targets.

The following table shows examples of the X-Forwarded-For header that the target receives when you select either the append, preserve or the remove mode. In this example, the IP address of the last hop is 127.0.0.1.

Request description Example request append preserve remove
Request is sent with no XFF header GET /index.html HTTP/1.1 Host: example.com X-Forwarded-For: 127.0.0.1 Not present Not present
Request is sent with an XFF header and a client IP address. GET /index.html HTTP/1.1 Host: example.com X-Forwarded-For: 127.0.0.4 X-Forwarded-For: 127.0.0.4, 127.0.0.1 X-Forwarded-For: 127.0.0.4 Not present
Request is sent with an XFF header with multiple client IP addresses. GET /index.html HTTP/1.1 Host: example.com X-Forwarded-For: 127.0.0.4, 127.0.0.8 X-Forwarded-For: 127.0.0.4, 127.0.0.8, 127.0.0.1 X-Forwarded-For: 127.0.0.4, 127.0.0.8 Not present
Console
To manage the X-Forwarded-For header

  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer.

  4. On the Attributes tab, choose Edit.

  5. In the Traffic configuration section, under Packet handling, for X-Forwarded-For header, choose Append (default), Preserve, or Remove.

  6. Choose Save changes.

Amazon CLI
To manage the X-Forwarded-For header

Use the modify-load-balancer-attributes command with the routing.http.xff_header_processing.mode attribute. The possible values are append, preserve, and remove. The default is append.

aws elbv2 modify-load-balancer-attributes \
    --load-balancer-arn load-balancer-arn \
    --attributes "Key=routing.http.xff_header_processing.mode,Value=preserve"
CloudFormation
To manage the X-Forwarded-For header

Update the AWS::ElasticLoadBalancingV2::LoadBalancer resource to include the routing.http.xff_header_processing.mode attribute. The possible values are append, preserve, and remove. The default is append.

Resources:
  myLoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Name: my-alb
      Type: application
      Scheme: internal
      Subnets: 
        - !Ref subnet-AZ1
        - !Ref subnet-AZ2
      SecurityGroups: 
        - !Ref mySecurityGroup
      LoadBalancerAttributes: 
        - Key: "routing.http.xff_header_processing.mode"
          Value: "preserve"

X-Forwarded-Proto

The X-Forwarded-Proto request header helps you identify the protocol (HTTP or HTTPS) that a client used to connect to your load balancer. Your server access logs contain only the protocol used between the server and the load balancer; they contain no information about the protocol used between the client and the load balancer. To determine the protocol used between the client and the load balancer, use the X-Forwarded-Proto request header. Elastic Load Balancing stores the protocol used between the client and the load balancer in the X-Forwarded-Proto request header and passes the header along to your server.

Your application or website can use the protocol stored in the X-Forwarded-Proto request header to render a response that redirects to the appropriate URL.

The X-Forwarded-Proto request header takes the following form:

X-Forwarded-Proto: originatingProtocol

The following example contains an X-Forwarded-Proto request header for a request that originated from the client as an HTTPS request:

X-Forwarded-Proto: https

X-Forwarded-Port

The X-Forwarded-Port request header helps you identify the destination port that the client used to connect to the load balancer.