Skip to content

Log True-Client-IP with an IP allow list

Implementing the IP allow list method in application code enables the IP address of an end user—sent by a reverse proxy—to be logged as the value of the True-Client-IP header in HTTP request logs.

When the reverse proxy and application code are correctly configured, PHP’s $_SERVER['REMOTE_ADDR'] global variable is set to the IP address of the end user instead of the reverse proxy’s IP address.

Note

Configuring the reverse proxy and application code to send and receive the True-Client-IP value is not a requirement for a site behind a reverse proxy to receive public traffic. However, if the correct True-Client-IP value of the end user is not sent:

  • VIP’s ability to provide support and troubleshooting for a reverse proxy configuration will be very limited.
  • Security features built in to the VIP Platform that rely on IP address recognition (e.g., limits on failed login attempts, protection against brute force attempts) will not work as expected.
  • Functionality in themes and plugins that rely on IP address recognition will not work as expected.

Requirements

  • The reverse proxy should set a True-Client-IP Incoming HTTP request header with the IP of the end user.
  • The customer is responsible for regularly keeping the configured list of trusted IP addresses up to date.

Configuration

Note

The proxy verification method is the recommended method to verify that a reverse proxy is correctly configured to send requests to a site. The IP allow list method described in this section is an acceptable alternative if there are technical limitations preventing the request header verification method from being configured.

The proxy verification method is the recommended method to verify that a reverse proxy is correctly configured to send requests to a site. The IP allow list method described in this section is an acceptable alternative if there are technical limitations preventing the request header verification method from being configured.

Prerequisites

To configure the IP allow list method, a user must have access to both the dashboard of the reverse proxy provider and write access to the VIP application’s GitHub repository.

This verification method uses the VIP function fix_remote_address() which is necessary for the true IP Address of the end user to be received. Without this function, it is likely that any instances of $_SERVER['REMOTE_ADDR'] in the site’s codebase will incorrectly return the IP address of the reverse proxy rather than the end user. This can cause unexpected results from application code that is expecting the IP of the end user.

  1. Create a vip-config/remote-proxy-ips.php file in the application’s codebase.
  2. Add an array of the reverse proxy IP addresses. The IPs can be provided as fully qualified IPv4 or IPv6 addresses or in Classless Inter-Domain Routing (CIDR) notation. The contents of the file should be similar to this code example:
vip-config/remote-proxy-ips.php
<?php

// A constant defining an array of allowed IP addresses and/or CIDRs
// which equate to the possible IP addresses of your Remote Proxy

define( 'MY_PROXY_IP_ALLOW_LIST', [

    '1.2.3.4/20',

    '5.6.7.8/20',

    '2.3.4.5',

] );
  1. Add the following code to vip-config/vip-config.php:
vip-config/vip-config.php
$proxy_lib = ABSPATH . '/wp-content/mu-plugins/lib/proxy/ip-forward.php';

if ( ! empty( $_SERVER['HTTP_TRUE_CLIENT_IP'] ) && file_exists( $proxy_lib ) ) {

    require_once( __DIR__ . '/remote-proxy-ips.php' );

    require_once( $proxy_lib );

    Automattic\VIP\Proxy\fix_remote_address(

        $_SERVER['HTTP_TRUE_CLIENT_IP'],

        $_SERVER['HTTP_X_FORWARDED_FOR'],

        MY_PROXY_IP_ALLOW_LIST

        );

}

Last updated: November 05, 2024

Relevant to

  • Node.js
  • WordPress