Plugin: Update the X-Forwarded-For header value (x-forwarded-for-edit)

Other versions of this plugin may exist. Please ensure you are viewing the documentation for the version that you are currently using. If you are not running the latest version of your plugin we recommend upgrading. See: list of all available versions of this plugin.


This plugin can be used to remove some IP addresses from the X-Forwarded-For header of HTTP search requests.

It allows:

  • removing the first or last value of the X-Forwarded-For header

  • removing all values but the first.

This is required when an intermediate network hop gets included in the X-Forwarded-For header resulting in an incorrect value being detected for the remote user’s IP address.

An incorrect X-Forwarded-For value can result in the incorrect operation of features that are based on the user’s IP address including:

  • Search usage analytics

  • Curator

  • Predictive segmentation

  • Collection-level security (IP address-based access restriction)


Enabling the plugin

Enable the x-forwarded-for-edit plugin on your results page from the Extensions screen in the administration dashboard or add the following results page configuration to enable the plugin.

The plugin will take effect as soon as it is enabled.

Plugin configuration settings

The following options can be set in the results page configuration to configure the plugin:

  • plugin.x-forwarded-for-edit.config.mode: Specifies the mode of operation. If not set, this plugin does nothing. Acceptable values are:

    • RemoveFirst: Remove the first IP address from the X-Forwarded-For header.

    • RemoveLast: Remove the last IP address from the X-Forwarded-For header.

    • KeepFirst: Keep only the first IP address from the X-Forwarded-For header.


To keep only the first IP address from the X-Forwarded-For header for search requests, set:


which will result in the X-Forwarded-For header for a search request being modified to:

X-Forwarded-For:, => X-Forwarded-For:


The X-Forwarded-For header contains a list of IP addresses recording the various hops that the request went through before reaching the Funnelback backend server.

In a complex scenario, a request can go through multiple hops:

  • Proxy server of the client, to the CMS

  • CMS to the Funnelback load balancer (partial HTML example)

  • Funnelback load balancer to the actual backend server

When looking at the X-Forwarded-For header value, the first IP address will be the one closer to the client

X-Forwarded-For should not be trusted for access restriction as it can be easily spoofed.

In the example below:


the X-Forwarded-For header would have 3 values:

  1. The IP address of the client proxy (

  2. The IP address of the CMS (

  3. The IP address of the load balancers (

Another example is when Funnelback is put behind a content delivery network such as Akamaï:

  • Client makes a request to the Funnelback domain name, that sends to Akamaï

  • Akamaï makes a request to Funnelback load balancers on behalf of the client

  • Load balancers forward the request to the actual backend server

In all these cases it is desirable to only retain the IP address of the original client to ensure accurate analytics. Funnelback has partial support for this with logging.ignored_x_forwarded_for_ranges that will cause the last IP address (load balancer -> backend server) to be scrubbed. Multiple IP addresses may remain however and there’s no easy way to control which one should be kept.

For the example, in the Akamaï case, it would not be practical to configure all the possible IP addresses of Akamaï (hundreds) to be ignored. A better approach instead is to simply ignore the last X-Forwarded-For value and consider the one before last, as it will be the one of the client that issued the request to Akamaï.

All versions of x-forwarded-for-edit