X-forwarded-for | A10

In the CLI:

When a client connects to an A10 VIP (Virtual IP), the A10 establishes a separate TCP connection to the backend server. From the server’s perspective, the source IP of every single packet is the A10’s own LAN IP—not the remote user. This breaks logging, geo-location, rate-limiting, and security rules.

A10 provides a configuration option to prevent this. Instead of appending, you can configure the ADC to or replace the XFF header. a10 x-forwarded-for

Enter X-Forwarded-For (XFF). This article explores how A10 handles this critical header, how to configure it, and the security pitfalls that come with it. The X-Forwarded-For header is a de facto standard (defined in RFC 7239, though superseded by Forwarded ). Its syntax is a simple comma-separated list:

A malicious client sends an HTTP request directly to your A10 with a forged header: GET /admin HTTP/1.1 X-Forwarded-For: 127.0.0.1 In the CLI: When a client connects to

If your backend server reads only the first IP (leftmost) as the client, it will believe the request is coming from 127.0.0.1 (localhost)—bypassing all ACLs.

If your A10 is configured to append the client IP (the default), the header becomes: X-Forwarded-For: 127.0.0.1, 203.0.113.5 A10 provides a configuration option to prevent this

However, by inserting itself between the client and the server, an ADC creates a classic networking paradox: