Configure a reverse proxy

WordPress VIP’s IP addresses
Jetpack’s IP addresses
An application’s xmlrpc.php endpoint (*.example.com/xmlrpc.php)

To facilitate troubleshooting, documenting a reverse proxy’s configuration in the application’s /docs directory in the GitHub repository is recommended.

Reverse proxy provider configurations

Forward traffic to the *.go-vip.net convenience domain for any routes that should come to VIP along with any URL parameters sent by the end user. The requested path should be a valid route that exists within the VIP application (e.g. /blog/* ).
Set a Host: HTTP request header to the site’s domain (e.g. Host: example.com). This is usually set by passing the value that the end-user requested. To work as expected, this domain should be added to the site’s VIP Dashboard.
Set a True-Client-IP incoming HTTP request header (from the reverse proxy to VIP) with the IP of the end-user. Customers configuring a reverse proxy with Cloudflare may need to set a different, but equivalent header for the IP of the end-user.
Forward any requests for the domain’s .well-known/acme-challenge/* route to VIP, or install a custom TLS certificate for the domain on the VIP environment.

Domain and TLS configurations

Have valid TLS certificates for all public-facing domains applied to the reverse proxy.
Have valid TLS certificates on VIP for all domains mapped to a VIP application. VIP recommends using Let’s Encrypt TLS certificates. Follow the instructions for configuring proxy settings for a domain to pass the ACME challenge and provision a TLS certificate.
Have DNS CNAME records for public-facing domains, pointed to the proxy. DNS updates for a domain must be made with the domain’s DNS provider.

VIP application configurations

The Site Address (URL) of a site behind a reverse proxy should be set to the same domain and subdirectory (where applicable) as the domain and path that the reverse proxy is pointed to. For example, if a user requests example.com/blog, the Site Address (URL) of the site on VIP should be example.com/blog. This is the simplest and most reliable configuration between a reverse proxy and a site on the VIP Platform.

Log the True-Client-IP value

It is important that the reverse proxy is configured to send the original IP address of the end user (not the reverse proxy’s IP address) in an HTTP header when requests are forwarded to the VIP site. This will ensure that VIP Platform security features that rely on IP address recognition (e.g. limits on failed login attempts) will work as expected and that the end user IP address will be correctly recorded in the HTTP logs.

In addition, the IP address of an end user sent by the reverse proxy can be logged as True-Client-IP in HTTP request logs by adding custom code to an application’s codebase.

Methods for updating application code to enable the logging of the True-Client-IP value:

Cloudflare-specific settings

The True-Client-IP header is only available on Cloudflare Enterprise. If using Cloudflare, but not the Cloudflare Enterprise package, use the CF-Connecting-IP header instead; this is the same value under a different key.

Amend the X-VIP-Proxy-Verification method code example shown above by replacing both instances of the string HTTP_TRUE_CLIENT_IP with HTTP_CF_CONNECTING_IP. A guide for setting HTTP request header modification rules can be reviewed in Cloudflare’s documentation.

Akamai-specific settings

Akamai SureRoute

Akamai’s SureRoute technology attempts to find and cache the most optimal network route between the edge and the end user. VIP’s implementation of Anycast can cause SureRoute to use sub-optimal routes. For this reason it is recommended that clients disable SureRoute.

Images not showing in Safari

By default, Akamai removes the Vary headers passed from the origin, which can cause the caching of *.webp images on the edge nodes (this is unsupported on Safari). The most elegant workaround is to add a behavior to disable the removal of the Vary headers.

Edgio (previously Layer0)-specific settings

It might not be possible to send the True-Client-IP request header when using the Edgio reverse proxy. Edgio provides an x-0-client-ip header that contains the same value under a different key and can be used instead.

Amend the X-VIP-Proxy-Verification method code example shown above by replacing both instances of the string HTTP_TRUE_CLIENT_IP with HTTP_X_0_CLIENT_IP.

Custom reverse proxy

Customers using a custom standalone proxy to route traffic to VIP must ensure that it is configured to correctly support Border Gateway Protocol (BGP) and Anycast routing methods. If configured correctly, requests received by VIP from the custom reverse proxy will be globally distributed throughout VIP’s network of edge cache servers.

If a custom reverse proxy is not configured correctly, all requests may inadvertently be routed to a single VIP edge cache server at the geographical location closest to where the custom reverse proxy is hosted. Routing requests to a single edge cache server rather than globally distributing requests based on an end user’s location can negatively effect the performance of responses and reduce fault tolerance for the network.

Remove a proxy configuration

To remove a reverse proxy and make use of the VIP Platform exclusively, ensure the following:

The application is configured with the final domain.
The domain has a valid TLS certificate installed on the VIP side.
The site has been tested and is reachable by using a hosts file to bypass any proxy and send requests directly to VIP

By following the recommendations above and configuring the VIP side as if there were no proxy in place, the final URL as well as certificate should already be set. Following those recommendation will make it possible to remove the proxy by updating DNS to point to VIP directly. No additional changes on the VIP side should be needed.

Last updated: June 18, 2024