TAC support to send original client IP to backend servers in HTTP header

TAC Gateway act as a proxy and load balance serer for backend server farm, backend server will not see the originating IP of the incoming HTTP request because it is proxy-ed  through TAC. Now it is possible to send original client IP in HTTP header to backend servers through TAC for web applications. 

This feature is helpful for debugging, collect statistics, generate location-dependent content and analytics data that comes to backend web servers from outside.

Send Client IP can be enabled on the Security tab of the Web application properties in TAC. Select “Send Client IP”  checkbox and enter header field  to pass the original client IP information to backend web servers.

If this feature checked TAC uses X-Forwarded-For (XFF) HTTP header to pass original client IP with the HTTP request.

The X-Forwarded-For (XFF) header is a standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer. When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used.

Without the use of XFF or another similar technique, any connection through the proxy would reveal only the originating IP address of the proxy server, effectively turning the proxy server into an anonymizing service, thus making the detection and prevention of abusive accesses significantly harder than if the originating IP address was available. The usefulness of XFF depends on the proxy server truthfully reporting the original host's IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.

The general format of the output field is:

X-Forwarded-For: client, proxy1, proxy2

where the value is a comma+space separated list of IP addresses, the left-most being the original client, and each successive proxy that passed the request adding the IP address where it received the request from. In this example, the request passed through proxy1, proxy2, and then proxy3 (not shown in the header). proxy3 appears as remote address of the request.

There are other techniques available to send original IP such as Z-Forwarded-For and administrators need to use proper header format for expected results.