is there a standard for chaining x-forwarded-for headers?

http-headers haproxy amazon-elb x-forwarded-for f5-big-ip

Yes, there's a standard: Don't use X-Forwarded-For at all.

RFC 7239 defines the Forwarded header, which has rather different semantics from X-Forwarded-For, and new implementations ought to be using it. Unfortunately it suffers from the same problem you have identified with X-Forwarded-For here: it may be defined twice in a request or contain a comma separated list of values. Proxies are also allowed to delete it entirely.

And yes, there's a best practice: Use a different header name internally.

Remember that X-Forwarded-For and its replacement Forwarded contain untrusted input. It is trivial for a client to put whatever they want in such a header. If you really need to know the public IP address of whatever connected to your server, stick it in a different header. For instance, CloudFlare uses CF-Connecting-IP for this purpose. I've also seen Client-IP and X-Real-IP used in nginx (where you can define anything you want). Whatever name is used, your load balancers should be sending the requester's IP address in some header other than X-Forwarded-For or Forwarded.

Related

Host keeps asking for password when using SSH Keys with PuTTY for Windows
logstash failing to parse syslog input
How to disable update notification in gcloud command?
Can't use ctrl+c to kill process in VM
How Does DNSWL work? How can I gain better trust? [closed]
Cloudflare integration with Azure websites
Postfix: disable "sender non-delivery notification" from MAILER-DAEMON
Postfix connected to Load Balancer, how to turn down connect/disconnect messages in mail.log
How to get color output from SSH command
Debian 8 resolv.conf overwritten by IPv6 autoconfiguration/DHCP when DHCP disabled
What's the top normal S.M.A.R.T. temperature for HGST Helium Ultrastar 8TB 7200 RPM SAS 12Gb/s enterprise drives?
How can I combine two commands to tally data from compressed and uncompressed log files?