Skip to content

Configure a reverse proxy

To set up a reverse proxy for a site on the VIP Platform, configurations must be made within the account of the reverse proxy provider, to the DNS of the site’s domain, in the VIP application’s codebase, within the site’s VIP Dashboard, and to the site itself. It is strongly recommended that the configurations of a reverse proxy are kept as simple as possible.

Upon completion, the configuration of a reverse proxy should also allow access to the site from:

To facilitate troubleshooting, documenting a reverse proxy’s configuration in the application’s /docs directory in the GitHub repository is recommended.

Reverse proxy provider configurations

  • Forward traffic to the *.go-vip.net convenience domain for any routes that should come to VIP along with any URL parameters sent by the end user. The requested path should be a valid route that exists within the VIP application (e.g. /blog/* ).
  • Set a Host: HTTP request header to the site’s domain (e.g. Host: example.com). This is usually set by passing the value that the end-user requested. To work as expected, this domain should be added to the site’s VIP Dashboard.
  • Set a True-Client-IP incoming HTTP request header (from the reverse proxy to VIP) with the IP of the end-user. Customers configuring a reverse proxy with Cloudflare may need to set a different, but equivalent header for the IP of the end-user.
  • Forward any requests for the domain’s .well-known/acme-challenge/* route to VIP, or install a custom TLS certificate for the domain on the VIP environment.

Domain and TLS configurations

  • Have valid TLS certificates for all public-facing domains applied to the reverse proxy.
  • Have valid TLS certificates on VIP for all domains mapped to a VIP application. VIP recommends using Let’s Encrypt TLS certificates. Additional instructions can be found below for mapping a proxy to pass the ACME challenge for TLS provisioning.
  • Have DNS CNAME records for public-facing domains, pointed to the proxy. DNS updates for a domain must be made with the domain’s DNS provider.

VIP application configurations

The Site Address (URL) of a site behind a reverse proxy should be set to the same domain and subdirectory (where applicable) as the domain and path that the reverse proxy is pointed to. For example, if a user requests example.com/blog, the Site Address (URL) of the site on VIP should be example.com/blog. This is the simplest and most reliable configuration between a reverse proxy and a site on the VIP Platform.

It is also important that a request verification method is added to the VIP application’s codebase to verify that requests to a site were made via the reverse proxy. Request verification ensures that the IP address of an end user—sent by the reverse proxy as the True-Client-IP value—is correctly logged. When correctly configured, the IP address of an end user will be properly set as PHP’s $_SERVER['REMOTE_ADDR'] global variable value instead of the reverse proxy’s IP address.

Though a site behind a configured reverse proxy will be accessible to public traffic without a verification method in place, neglecting to implement one of these methods is strongly discouraged.

Failure to configure request verification from the reverse proxy for a site can limit VIP’s ability to provide support for specific issues, impede troubleshooting, and potentially break functionality of themes, plugins, and VIP Platform security features that rely on IP address recognition (e.g. limits on failed login attempts).

Cloudflare-specific settings

The True-Client-IP header is only available on Cloudflare Enterprise. If using Cloudflare, but not the Cloudflare Enterprise package, use the CF-Connecting-IP header instead; this is the same value under a different key.

Amend the X-VIP-Proxy-Verification method code example shown above by replacing both instances of the string HTTP_TRUE_CLIENT_IP with HTTP_CF_CONNECTING_IP. A guide for setting HTTP request header modification rules can be reviewed in Cloudflare’s documentation.

Akamai-specific settings

Akamai SureRoute

Akamai’s SureRoute technology attempts to find and cache the most optimal network route between the edge and the end user. VIP’s implementation of Anycast can cause SureRoute to use sub-optimal routes. For this reason it is recommended that clients disable SureRoute.

Images not showing in Safari

By default, Akamai removes the Vary headers passed from the origin, which can cause the caching of *.webp images on the edge nodes (this is unsupported on Safari). The most elegant workaround is to add a behavior to disable the removal of the Vary headers.

Edgio (previously Layer0)-specific settings

It might not be possible to send the True-Client-IP request header when using the Edgio reverse proxy. Edgio provides an x-0-client-ip header that contains the same value under a different key and can be used instead.

Amend the X-VIP-Proxy-Verification method code example shown above by replacing both instances of the string HTTP_TRUE_CLIENT_IP with HTTP_X_0_CLIENT_IP.

Remove a proxy configuration

To remove a reverse proxy and make use of the VIP Platform exclusively, ensure the following:

  • The application is configured with the final domain.
  • The domain has a valid TLS certificate installed on the VIP side.
  • The site has been tested and is reachable by using a hosts file to bypass any proxy and send requests directly to VIP

By following the recommendations above and configuring the VIP side as if there were no proxy in place, the final URL as well as certificate should already be set. Following those recommendation will make it possible to remove the proxy by updating DNS to point to VIP directly. No additional changes on the VIP side should be needed.

Last updated: February 13, 2024

Relevant to

  • WordPress