X-Forwarded-For - Should I be using it?

[Donny]

Trying a new ad network provider to manage my Ad Manager account and they routed my traffic through their network so they can provide stats and all sorts of things.

But in doing so, advised me to use the X-Forwarded-For header. Which I now understand can be spoofed?

Should I be using this?

Is there a way to stop spoofing via it?

 

[DeltaHF]

Yes, you absolutely should.

Otherwise, all of the user registrations and content IP addresses will be listed as coming from your ad provider's server IP addresses and not the end users. This will render some spam mitigation efforts ineffective, you can no longer ban users by IP address, and doing so could block the ad provider's servers, thus making the site inaccessible to the outside world. It will also make it look like all of your users are sharing only a few IP addresses, which will make it harder to detect abuse or troublesome users who create multiple accounts.

 

[Donny]

The IP addresses I already see are the end users IP addresses. When adding the X-Forwarded-For to my config.php, it just rendered logging in for about 10% of users useless and forwarded them back to the homepage.

I'm using cloudflare on a dedicated server with multiple forums running on the same server IP.

Apparently the x-forwarded-for thing can leave the site vulnerable to IP spoofing?

 

[DeltaHF]

This is something that you need to configure at the web server level, not in XenForo's config.php.

Apparently the x-forwarded-for thing can leave the site vulnerable to IP spoofing?

Only if you still allow the server to accept direct connections that bypass the proxy server. Otherwise, the X-Forwarded-For header is set by the server acting as the proxy, which you obviously trust.