The perils of the “real” client IP is a must-read on this topic. Recently posted on hacker news.
Its summary says:
- When deriving the “real client IP address” from the
X-Forwarded-Forheader, use the rightmost IP in the list. - The leftmost IP in the XFF header is commonly considered to be “closest to the client” and “most real”, but it’s trivially spoofable. Don’t use it for anything even close to security-related.
- When choosing the rightmost XFF IP, make sure to use the last instance of that header.
- Using special “true client IPs” set by reverse proxies (like
X-Real-IP,True-Client-IP, etc.) can be good, but it depends on the a) how the reverse proxy actually sets it, b) whether the reverse proxy sets it if it’s already present/spoofed, and c) how you’ve configured the reverse proxy (sometimes). - Any header not specifically set by your reverse proxy cannot be trusted. For example, you must not check the
X-Real-IPheader if you’re not behind Nginx or something else that always sets it, because you’ll be reading a spoofed value. - A lot of rate limiter implementations are using spoofable IPs and are vulnerable to rate limiter escape and memory exhaustion attacks.
