If your A10 is configured to append the client IP (the default), the header becomes: X-Forwarded-For: 127.0.0.1, 203.0.113.5
A10 provides a configuration option to prevent this. Instead of appending, you can configure the ADC to or replace the XFF header. a10 x-forwarded-for
When configured for L7 load balancing (HTTP mode), the A10 ADC rewrites the HTTP request headers before forwarding the packet to the real server. It typically appends the original client IP address to the existing XFF header. If your A10 is configured to append the
However, by inserting itself between the client and the server, an ADC creates a classic networking paradox: the header becomes: X-Forwarded-For: 127.0.0.1
A malicious client sends an HTTP request directly to your A10 with a forged header: GET /admin HTTP/1.1 X-Forwarded-For: 127.0.0.1