I understand that a header HTTP_X_FORWARDED_FOR
is set by proxy servers to identify the ip-address of the host that is making the HTTP request through the proxy. I've heard claims that the header HTTP_CLIENT_IP
is set for similar purposes.
What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR? Why would one have different values than the other? Where can I find resources on the exact definition of these headers.
Neither of these headers are officially standardised. Therefore:
What is the difference between HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR? - it is impossible to say. Different proxies may implement these, or may not. The implementations may vary from one proxy to the next, and they may not. A lack of a standard breeds question marks. Why would one have different values than the other? - See point 1. However, from a purely practical point of view, the only reason I can see for these having different values is if more than one proxy was involved - the X-Forwarded-For: header might then contain a complete track of the forwarding chain, whereas the Client-IP: header would contain the actual client IP. This is pure speculation, however. Where can I find resources on the exact definition of these headers. - You can't. See point 1.
There does seem to be some kind of de-facto standard regarding the X-Forwarded-For:
header, but
given that there is no RFC that defines it this cannot be relied upon
see comment below.
As a side note, the Client-IP:
header should by convention be X-Client-IP:
since it is a 'user-defined' header.
Success story sharing
X-Forwarded-For
andX-Client-IP
.