.. _envoy_v3_api_file_envoy/extensions/http/original_ip_detection/xff/v3/xff.proto:

XFF original IP detection extension
===================================




.. _envoy_v3_api_msg_extensions.http.original_ip_detection.xff.v3.XffConfig:

extensions.http.original_ip_detection.xff.v3.XffConfig
------------------------------------------------------

:repo:`[extensions.http.original_ip_detection.xff.v3.XffConfig proto] <api/envoy/extensions/http/original_ip_detection/xff/v3/xff.proto#L18>`

This extension allows for the original downstream remote IP to be detected
by reading the :ref:`config_http_conn_man_headers_x-forwarded-for` header.



.. _extension_envoy.http.original_ip_detection.xff:

This extension may be referenced by the qualified name ``envoy.http.original_ip_detection.xff``

.. note::
  

  This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

.. tip::
  This extension extends and can be used with the following extension category:


  - :ref:`envoy.http.original_ip_detection <extension_category_envoy.http.original_ip_detection>`

.. code-block:: json

  {
    "xff_num_trusted_hops": "..."
  }

.. _envoy_v3_api_field_extensions.http.original_ip_detection.xff.v3.XffConfig.xff_num_trusted_hops:

xff_num_trusted_hops
  (`uint32 <https://developers.google.com/protocol-buffers/docs/proto#scalar>`_) The number of additional ingress proxy hops from the right side of the
  :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when
  determining the origin client's IP address. The default is zero if this option
  is not specified. See the documentation for
  :ref:`config_http_conn_man_headers_x-forwarded-for` for more information.