I'm trying to extract IP addresses for HTTP requests with the X-Forwarded-For HTTP header. How should I do it?
The documentation is very vague (to say the least). I couldn't figure out if I should set it as an Header regex or an Header tag.
I've set this header regex, but I don't think it's doing anything with it:
%0d%0aX-Forwarded-For:%20\([^%0d%0a,]*\)
Answer by Paulo M. ·
Thanks, Adam.
It's kind of what I gathered from HTTP Configuration Options for Selected User-Defined Software Services. But the example doesn't seem to match the explanation.
And what if there's more than one X-Forwarded-For HTTP header or the value is a comma separated list of IP addresses?
If the value is not single IP address then using regex is the best way. By surrounding with round brackets part that contains desired IP and "covering" the rest with a regex it should be possible.
The case when we have two X-Forwarded-For field in HTTP header is rather not expected and we should first test it out before saying anything.
Do you have any example capture we can take a look at?
I haven't seen any request with multiple X-Forwarded-For HTTP headers (yet), but my colleague in charge of the proxies says that some misbehaved proxies might add extra X-Forwarded-For HTTP headers instead of adding to an existing one.
What I've seen, is something like this:
GET ... HTTP/1.0 Accept: application/javascript, */*;q=0.8 Referer: ... Accept-Language: pt-PT User-Agent: ... Accept-Encoding: gzip, deflate If-Modified-Since: Tue, 05 Mar 2013 18:39:42 GMT; length=13942 Cookie: ... Host: ... Via: 1.1 localhost (squid/3.1.6), 1.1 e1-escc:3131 (squid/2.7.STABLE9) X-Forwarded-For: 10.253.122.38, 10.253.120.99 Cache-Control: max-age=0 Connection: keep-alive
So far, I've tried this header regex: %0d%0aX-Forwarded-For:%20\([^%0d%0a,]*\)
But I don't think it's working.
What am I doing wrong?
Let me know your version so we can test our best answer:
X-Forwarded-For: [^,]*, \(.*\)
to make sure it works well.
12.1.2
Your regex get's the first IP from a list of IPs. It doesn't account for when the X-Forwarded-For only has one IP address.
Verified on 12.1.2.
Regardless number of IPs, if you want to retrieve the last one, use:
X-Forwarded-For:.*([.0-9]*$).\n.*
In case you want to report the first one, use:
X-Forwarded-For: ([.0-9]*)
Paulo,
I understand you mean that example:
GET http://www.slow-server.com/login.jsp HTTP/1.1 Accept: */* Referer: http://www.slow-server.com/ Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: www.slow-server.com Connection: Keep-Alive Cookie: FPB=061j8hura11q56cv; CRZY9=t=1; REMOTE_ADDR: 10.1.0.2
does not mean the explanation:
The following regular expression extracts the address 10.1.0.2 from the REMOTE_ADDR field: %0d%0aREMOTE_ADDR:%20\([^%0d%0a]*\)%0d%0a The expression must contain a single sub-expression delimited by pairs of characters â\(â and â\)â. The expression in this example states that the search string should start at the beginning of a header line and end at the end of the line (note the use of % to denote the hex values of the carriage return and line feed characters). The line should start with the string âREMOTE_ADDR:â. The sub-expression to extract is a string of characters different than ASCII CR or LF, and it should occur after the space following âREMOTE_ADDR:â
Would you please help me understand in what way it's not matching?
Or maybe I misunderstood your question?
According to the documentation, it should be:
X-Forwarded-For:%20\([.0-9]*\)
You're right - the documentation is wrong about it. We will make sure it will be corrected.
Answer by Adam P. ·
Paulo,
If X-Forwarded-For HTTP field contains just IP address it's recommended to use Header tag as it introduce less load to the AMD than using other options. Also it's recommended to do it within particular Software Service than globally:
JANUARY 15, 3:00 PM GMT / 10:00 AM ET