When Anti-DDoS Proxy forwards website traffic to your origin server, it can inject HTTP headers carrying client metadata — originating IP address, originating port, and TLS fingerprints. Configure traffic marks so your backend services can identify and track the source of forwarded requests.
Prerequisites
Before you begin, ensure that you have:
A website configuration added to Anti-DDoS Proxy. For details, see Add a website configuration
Enable traffic marking
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Instance type Region Anti-DDoS Proxy (Chinese Mainland) Chinese Mainland Anti-DDoS Proxy (Outside Chinese Mainland) Outside Chinese Mainland In the left-side navigation pane, choose Provisioning > Website Config.
Find the website configuration you want to modify, then click Edit in the Actions column.
In the forwarding configuration, enable traffic marking. Two types of marks are available:
Default marks — predefined headers that Anti-DDoS Proxy injects automatically
Custom Header — additional headers you define to carry a custom value
Click Next and follow the prompts to save the configuration.
Default marks
Anti-DDoS Proxy supports two categories of default marks: request header forwarding options and traffic mark fields.
Request Header Forwarding Configuration
Enable these options to pass specific client connection details to your origin server:
| Option | Header added | Description |
|---|---|---|
| Insert X-Client-IP to Get Originating IP Address | X-Client-IP | Client's original IP address |
| Insert X-True-IP to Forward Client IP | X-True-IP | IP address the client used to establish the connection |
| Insert Web-Server-Type to Get Service Type | Web-Server-Type | Identifies which frontend web server or proxy handled the request (typically set by the first proxy) |
| Insert WL-Proxy-Client-IP to Get Connection IP | WL-Proxy-Client-IP | Same function as X-Client-IP; specific to Oracle WebLogic Server |
| X-Forwarded-Proto (Listener Protocol) | X-Forwarded-Proto | Protocol used between the client and the first proxy |
Traffic marks
These fields carry client metadata in the HTTP header. Anti-DDoS Proxy populates them automatically once enabled:
| Mark | HTTP header field | Description | Requirements |
|---|---|---|---|
| Originating Port | X-Forwarded-ClientSrcPort | Client's originating port | — |
| Originating IP Address | X-Forwarded-For | Client's originating IP address | — |
| JA3 Fingerprint | ssl_client_ja3_fingerprint_md5 | MD5 hash of the client JA3 fingerprint | Contact your account manager to enable |
| JA4 Fingerprint | ssl_client_ja4_fingerprint_md5 | MD5 hash of the client JA4 fingerprint | Contact your account manager to enable |
| Client TLS Fingerprint | ssl_client_tls_fingerprint_md5 | MD5 hash of the client TLS fingerprint | Contact your account manager to enable |
| HTTP/2 Fingerprint | http2_client_fingerprint_md5 | MD5 hash of the client HTTP/2.0 fingerprint | Contact your account manager to enable |
Custom Header
Add a custom HTTP header to mark requests passing through Anti-DDoS Proxy. Anti-DDoS Proxy injects the configured field and value into each request forwarded to your origin server.
Quantity limit: Up to 5 custom headers.
Naming restrictions
To avoid overwriting headers that Anti-DDoS Proxy or upstream proxies already set, do not use the following field names:
Anti-DDoS Proxy default fields:
| Field name | Purpose |
|---|---|
X-Forwarded-ClientSrcPort | Client port for Layer 7 access |
X-Forwarded-ProxyPort | Listening port for Layer 7 access |
X-Forwarded-For | Client IP address for Layer 7 access |
ssl_client_ja3_fingerprint_md5 | Client JA3 fingerprint MD5 hash |
ssl_client_ja4_fingerprint_md5 | Client JA4 fingerprint MD5 hash |
ssl_client_tls_fingerprint_md5 | Client TLS fingerprint MD5 hash |
http2_client_fingerprint_md5 | Client HTTP/2.0 fingerprint MD5 hash |
Standard HTTP fields: host, user-agent, connection, upgrade
Common proxy fields: x-real-ip, x-true-ip, x-client-ip, web-server-type, wl-proxy-client-ip, eagleeye-rpcid, eagleeye-traceid, x-forwarded-cluster, x-forwarded-proto
Configuration tips
Start with default marks. Use a Custom Header only when your service requires non-standard field names.
Test header configuration in a staging environment before applying to production.
Keep field values to 100 characters or fewer to avoid degrading forwarding performance.
Read traffic marks on your origin server
After configuring traffic marks, parse the injected headers on your origin server to retrieve the client's true source IP address. For parsing examples across different web servers, see Get the true source IP address after configuring Anti-DDoS Proxy.