Log True-Client-IP and add a proxy verification method
The proxy verification method provides a way to confirm that requests are successfully being forwarded from a configured reverse proxy to a site on the VIP Platform. In addition, sites behind a reverse proxy should also add custom application code that enables the IP address of an end user—sent by a reverse proxy—to be logged as the value of the True-Client-IP
header in HTTP request logs.
The steps required to enable the proxy verification method as well as logging the IP address of an end user are outlined below.
Note
Configuring the reverse proxy and application code to send and receive the True-Client-IP
value is not a requirement for a site behind a reverse proxy to receive public traffic. However, if the correct True-Client-IP
value of the end user is not sent:
- VIP’s ability to provide support and troubleshooting for a reverse proxy configuration will be very limited.
- Security features built in to the VIP Platform that rely on IP address recognition (e.g., limits on failed login attempts, protection against brute force attempts) will not work as expected.
- Functionality in themes and plugins that rely on IP address recognition will not work as expected.
Requirements
- The domain and URL structure of the VIP site must match incoming requests. For example, if a user requests
example.com/blog
, the resource on VIP should be available atexample.com/blog
.
- The reverse proxy should set a
True-Client-IP
Incoming HTTP request header with the IP of the end user. - The reverse proxy should set
X-VIP-Proxy-Verification
as an Incoming request header, not Outgoing.
Configuration
Prerequisites
To configure the request header verification method, a user must have access to both the dashboard of the reverse proxy provider as well as write access to the VIP application’s GitHub repository.
The VIP function fix_remote_address_with_verification_key()
in this code example is necessary for the true IP Address of the end user to be received. Without this function, it is likely that any instances of PHP’s $_SERVER['REMOTE_ADDR']
global variable in the site’s codebase will incorrectly return the IP address of the reverse proxy rather than the end user. This can cause unexpected results from application code that is expecting the IP of the end user.
- Generate a 40-character (or more) alphanumeric secret string.
- In the settings dashboard of the reverse proxy provider: Set the secret string as the
X-VIP-Proxy-Verification
Incoming request header value. - Create a VIP Support ticket to notify VIP that the secret string has been generated for a reverse proxy. Supply the secret string with an application designed for sending sensitive information securely, like QuickForget.com, by Automattic. Under no circumstances should the secret string value be supplied in the VIP Support ticket.
- In the application’s codebase: Add the code snippet shown below to
vip-config.php
.
$proxy_lib = ABSPATH . '/wp-content/mu-plugins/lib/proxy/ip-forward.php';
if ( ! empty( $_SERVER['HTTP_TRUE_CLIENT_IP'] )
&& ! empty( $_SERVER['HTTP_X_VIP_PROXY_VERIFICATION'] )
&& file_exists( $proxy_lib ) ) {
require_once $proxy_lib;
// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized — Validated in the function call.
Automattic\VIP\Proxy\fix_remote_address_with_verification_key(
$_SERVER['HTTP_TRUE_CLIENT_IP'],
$_SERVER['HTTP_X_VIP_PROXY_VERIFICATION']
);
// phpcs:enable
}
Additional custom HTTP request headers can be sent to assist with the process of testing a reverse proxy configuration. VIP will not reject these requests.
Last updated: November 05, 2024