Search

GlobalSCAPE Knowledge Base

Respect X-Forwarded-For Header

Karla Marsh
EFT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT v7.4.13 and later

DISCUSSION

Note: This is a high risk and controversial override that is considered experimental only. Use at your own risk!

If you are behind a trusted proxy or load balancer that always injects the real client IP into the X-Forwarded-For (XFF) header and you want EFT to use the XFF value over the connection defined IP, then you will want to create this key. When enabled, EFT will audit, log, and perform operations based on the XFF provided value (including IP ban logic!)  Note that EFT’s default behavior is to completely ignore any XFF header supplied value as those values can easily be spoofed by client. You should only enable this advanced property if you completely trust the device(s) on the network closest to EFT that you know with certainty will inject the true client IP into the XFF header. If you are not 100% certain then do not create this key!

Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\GlobalSCAPE Inc.\EFT Server 7.2\ForwardedForHeader

Name: ForwardedForHeader

Type: STRING

Value name: X-Forwarded-For, Forwarded, X-Forwarded-Host, or a custom value 

Default Value: Empty (if Empty then it is treated as if the key was not present).

EFT service restart required? Yes

Q. Why is this a string rather than a true/false (Boolean)?
A. The reason for this is that in a few rare instances customers rely on custom headers other than the XFF standard. This key allows customers to supply the custom header name they want, although we recommend sticking with X-Forwarded-For for most proxies and load balancers, including Azure and AWS elastic load balancers.

Q. What happens if an empty string is applied?
A. In that case EFT defaults to its standard behavior (use connection derived IP)

Q. What happens if EFT cannot find the header that was defined?
A. In that case EFT defaults to its standard behavior (use connection derived IP)

Q. If the XFF header contains multiple IPs, comma delimited, what happens?
A. EFT does not support multiple entries and this may result in some odd logging and operational behavior.

Q. Can I supply multiple IPs via the XFF, comma delimited?
A. Not presently and this will result in some odd logging  and operational behavior

Q. Can I supply an IPv6 IPs via the XFF?
A. This should work but has not yet (as of March 2019) been tested, given this feature is both experimental and risky.

Q. What if no string or garbage strings arrive via the XFF header?
A. This is why you should never use this key unless you are certain your LB or proxy will be supplying a valid IP in the XFF header. EFT will audit the garbage data but will not be able to ban the real client IP.

Details
Last Modified: 3 Months Ago
Last Modified By: kmarsh
Type: FAQ
Rated 3 stars based on 6 votes.
Article has been viewed 45K times.
Options
Also In This Category