A10 — X-forwarded-for

However, by inserting itself between the client and the server, an ADC creates a classic networking paradox:

Unlike XFF, which is HTTP-specific, PROXY Protocol prepends a binary header at the transport layer. It preserves the original client IP for any protocol—HTTP, HTTPS, SMTP, or raw TCP. If your backend server supports PROXY Protocol (e.g., HAProxy, Nginx, Apache 2.4.30+), this is a more robust solution than XFF. X-Forwarded-For on A10 Networks devices is a powerful but subtle tool. When configured correctly—preferably with replace mode to block spoofing—it restores end-to-end visibility. However, it shifts responsibility to the backend developer to parse headers securely. a10 x-forwarded-for

X-Forwarded-For: <client>, <proxy1>, <proxy2> However, by inserting itself between the client and

If your backend server reads only the first IP (leftmost) as the client, it will believe the request is coming from 127.0.0.1 (localhost)—bypassing all ACLs. X-Forwarded-For on A10 Networks devices is a powerful

A10 provides a configuration option to prevent this. Instead of appending, you can configure the ADC to or replace the XFF header.