The 'true' client IP address.

Fastly reads this header from requests and writes it into requests. It is proprietary to Fastly.

When Fastly receives a request that does not include a Fastly-Client-IP header, we will add one, set to the current value of client.ip. This provides convenient access to the IP address that Fastly regards as the client making the request.

In contrast, client.ip is always the immediate client of the current server. In Fastly terms, this means that in services that use shielding, the client.ip may be another Fastly server, not the 'actual' client. Fastly-Client-IP doesn't change when being forwarded from one Fastly server to another so will always represent the value of client.ip that was first seen by Fastly.

It is also distinct from the values of the X-Forwarded-For header, which will additionally reflect any other downstream clients beyond the immediate one. Essentially, Fastly-Client-IP is the non-Fastly thing that is making the request to Fastly. If it is actually another proxy making the request on behalf of someone else, that won't change Fastly-Client-IP, but the additional downstream IPs should be included in the X-Forwarded-For header.

The value is not protected from modification at the edge of the Fastly network, so if a client sets this header themselves, we will use it. If you want to prevent this, set the value yourself in VCL:

vcl_recv { ... }
Fastly VCL
if (fastly.ff.visits_this_service == 0 && req.restarts == 0) {
set req.http.Fastly-Client-IP = client.ip;