---
title: client.ip
summary: null
url: >-
  https://www.fastly.com/documentation/reference/vcl/variables/client-connection/client-ip
---


The IP address of the client making the HTTP request.  May be an IPv4 or IPv6 address.

When a request is first handled by a Fastly data center, `client.ip` represents the IP of the end user. In configurations that use [shielding](/guides/concepts/shielding), however, the value of `client.ip` when the request is processed by the shield data center will be the IP of the edge data center.

Fastly automatically sets a `Fastly-Client-IP` header as a copy of the initial value of `client.ip`, and this is therefore one means of accessing the original client IP upstream of the edge data center.  However, this header is not protected and can be spoofed as part of the client's initial request.

To prevent spoofing of the value of `Fastly-Client-IP`, set it explicitly in VCL:

```vcl
if (fastly.ff.visits_this_service == 0 && req.restarts == 0) {
  set req.http.Fastly-Client-IP = client.ip;
}
```

A common use of `client.ip` is to enforce access control against an [access control list](/reference/vcl/declarations/acl/).