A10 X-forwarded-for New! Instant

In the A10 CLI, you create a template that instructions the ADC to insert the client IP.

If you have → Client → CDN (CloudFlare) → A10 → Backend, you want to preserve the original client IP, not the CDN’s edge IP.

However, X-Forwarded-For remains the industry standard due to widespread legacy support. Use Forwarded only if your backend explicitly supports it. a10 x-forwarded-for

Don’t let your load balancer become a black hole for client identity. Implement A10 X-Forwarded-For today.

If your A10 is configured to append the client IP (the default), the header becomes: X-Forwarded-For: 127.0.0.1, 203.0.113.5 In the A10 CLI, you create a template

Forwarded: for=203.0.113.5;by=192.168.1.100;proto=http

Enter X-Forwarded-For (XFF). This article explores how A10 handles this critical header, how to configure it, and the security pitfalls that come with it. Use Forwarded only if your backend explicitly supports it

Three common failure modes in A10 XFF setups:

(Optional) Enter a custom header name if your backend expects something else (like Navigate to SLB > Virtual Servers , select your VIP, and go to the Assign your new HTTP template in the Template HTTP 📄 Using aFleX for Custom Logic

If you need more control (e.g., only inserting headers for specific POST requests or checking if the header already exists), you can use an aFleX script when HTTP_REQUEST { # Replace existing header to prevent spoofing HTTP::header replace X-Forwarded-For [IP::client_addr] # Or, insert only if it doesn't exist # if ! [HTTP::header exists "X-Forwarded-For"] { # HTTP::header insert X-Forwarded-For [IP::client_addr] Use code with caution. Copied to clipboard 🔍 Verification & Troubleshooting Packet Capture:

In A10 Networks Thunder ADC (Application Delivery Controller), the feature is used to preserve and pass the original client's IP address to backend servers. This is necessary because when a load balancer sits between a client and a server, the server typically only sees the load balancer's IP address in its logs, which anonymises the actual user. Key Capabilities and Use Cases