Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Clarification on Multiple IPs in HTTP_X_FORWARDED_FOR and Recommendation for Resolution

0

Hello Team,

We have observed that our application is receiving two IP addresses, separated by a comma, in the $_SERVER['HTTP_X_FORWARDED_FOR'] variable on the pre-production domain. The application is currently designed to expect a single IP address—the original client IP—for accurate request tracing and logging.

Upon investigation, we found that the domain is pointed to the application through a load balancer, which is likely appending its own IP along with the client's IP. As a result, the X-Forwarded-For header contains multiple values.

To resolve this issue and ensure that only the original client IP is passed through:

Recommended Action: We recommend enabling the preserve client IP option on the load balancer, if supported. This will help maintain the original client IP in the X-Forwarded-For header without appending additional IPs. This simplifies logging and improves traceability.

Server Level: Please confirm if there have been any need to changes on the server side—particularly in the Nginx configuration—that may affect how the X-Forwarded-For header is handled.

Please let us know if we should proceed with these changes, or anything else.

With Regards, Vibhuti Zore

Topics
ComputeNetworking & Content Delivery
Tags
Amazon Route 53Amazon VPCAmazon EC2Elastic Load Balancing
Language
English
asked a year ago133 views
1 Answer
0

What you see is expected behavior with most AWS load balancers, which append their IP to the X-Forwarded-For header. If you’re using an ALB or NLB with a proxy protocol, the client IP comes first, followed by intermediary IPs. So yes, your app needs to either parse the first IP in the list, or you can configure your reverse proxy (like Nginx) to extract it cleanly.

If you're using Nginx in front, I’d suggest this directive: nginx real_ip_header X-Forwarded-For; set_real_ip_from <load-balancer-ip-or-CIDR>; real_ip_recursive on;

This will make Nginx treat the first IP in the X-Forwarded-For chain as the real client. You don't need to change the load balancer unless it's appending something unnecessary (like NAT IPs from upstream proxies).

Also worth double-checking if the app logic is parsing $_SERVER['HTTP_X_FORWARDED_FOR'] naively. A simple explode(',', ...) with trim() on the first entry usually fixes this.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content