Skip to content

Log True-Client-IP and add a proxy verification method

The proxy verification method provides a way to confirm that requests are successfully being forwarded from a configured reverse proxy to a site on the VIP Platform. In addition, sites behind a reverse proxy should also add custom application code that enables the IP address of an end user—sent by a reverse proxy—to be logged as the value of the True-Client-IP header in HTTP request logs.

The steps required to enable the proxy verification method as well as logging the IP address of an end user are outlined below.

Note

Configuring the reverse proxy and application code to send and receive the True-Client-IP value is not a requirement for a site behind a reverse proxy to receive public traffic. However, if the correct True-Client-IP value of the end user is not sent:

  • VIP’s ability to provide support and troubleshooting for a reverse proxy configuration will be very limited.
  • Functionality of themes, plugins, and VIP Platform security features that rely on IP address recognition (e.g. limits on failed login attempts) can potentially break.

Requirements

  • The domain and URL structure of the VIP site must match incoming requests. For example, if a user requests example.com/blog, the resource on VIP should be available at example.com/blog.
  • The reverse proxy should set a True-Client-IP Incoming HTTP request header with the IP of the end user.
  • The reverse proxy should set X-VIP-Proxy-Verification as an Incoming request header, not Outgoing.

Configuration

Prerequisites

To configure the request header verification method, a user must have access to both the dashboard of the reverse proxy provider as well as write access to the VIP application’s GitHub repository.

The VIP function fix_remote_address_with_verification_key() in this code example is necessary for the true IP Address of the end user to be received. Without this function, it is likely that any instances of PHP’s $_SERVER['REMOTE_ADDR'] global variable in the site’s codebase will incorrectly return the IP address of the reverse proxy rather than the end user. This can cause unexpected results from application code that is expecting the IP of the end user.

  1. Generate a 40-character (or more) alphanumeric secret string.
  2. In the settings dashboard of the reverse proxy provider: Set the secret string as the X-VIP-Proxy-Verification Incoming request header value.
  3. Create a VIP Support ticket to notify VIP that the secret string has been generated for a reverse proxy. Supply the secret string with an application designed for sending sensitive information securely, like QuickForget.com, by Automattic. Under no circumstances should the secret string value be supplied in the VIP Support ticket.
  4. In the application’s codebase: Add the code snippet shown below to vip-config.php.
vip-config/vip-config.php
$proxy_lib = ABSPATH . '/wp-content/mu-plugins/lib/proxy/ip-forward.php';

if ( ! empty( $_SERVER['HTTP_TRUE_CLIENT_IP'] )

    && ! empty( $_SERVER['HTTP_X_VIP_PROXY_VERIFICATION'] )

    && file_exists( $proxy_lib ) ) {

    require_once $proxy_lib;

// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized — Validated in the function call.

    Automattic\VIP\Proxy\fix_remote_address_with_verification_key(

        $_SERVER['HTTP_TRUE_CLIENT_IP'],

        $_SERVER['HTTP_X_VIP_PROXY_VERIFICATION']

    );

// phpcs:enable

}

Additional custom HTTP request headers can be sent to assist with the process of testing a reverse proxy configuration. VIP will not reject these requests.

Last updated: June 18, 2024

Relevant to

  • Node.js
  • WordPress