Skip to content

IP allow list verification method

Implement the IP allow list verification method to verify that requests to a site were made via the configured reverse proxy.

Note

The request header verification method is the recommended method to verify that requests to a site were made via the configured reverse proxy. The IP allow list verification method is an acceptable alternative if there are technical limitations preventing the request header verification method from being configured.

Successfully configuring the IP allow list verification method also ensures that the IP address of an end user—sent by the reverse proxy as the True-Client-IP value—is correctly logged. When correctly configured, the IP address of an end user will also be properly set as PHP’s $_SERVER['REMOTE_ADDR'] global variable value instead of the reverse proxy’s IP address.

Failure to configure request verification from the reverse proxy for a site can limit VIP’s ability to provide support for specific issues, impede troubleshooting, and potentially break the functionality of themes, plugins, and VIP Platform security features that rely on IP addresses.

Requirements

  • The customer is responsible for regularly keeping the configured list of trusted IP addresses up to date.
  • The reverse proxy should set a True-Client-IP Incoming HTTP request header with the IP of the end-user.

Configuration

To configure the IP allow list method, a user must have access to both the dashboard of the reverse proxy provider and write access to the VIP application’s GitHub repository.

  1. Create a vip-config/remote-proxy-ips.php file in the application’s codebase.
  2. Add an array of the reverse proxy IP addresses. The IPs can be provided as fully qualified IPv4 or IPv6 addresses or in Classless Inter-Domain Routing (CIDR) notation. The contents of the file should be similar to this code example:
vip-config/remote-proxy-ips.php
<?php

// A constant defining an array of allowed IP addresses and/or CIDRs

// which equate to the possible IP addresses of your Remote Proxy

define( 'MY_PROXY_IP_ALLOW_LIST', [

    '1.2.3.4/20',

    '5.6.7.8/20',

    '2.3.4.5',

] );
  1. Add the following code to vip-config/vip-config.php:
vip-config/vip-config.php
$proxy_lib = ABSPATH . '/wp-content/mu-plugins/lib/proxy/ip-forward.php';

if ( ! empty( $_SERVER['HTTP_TRUE_CLIENT_IP'] ) && file_exists( $proxy_lib ) ) {

    require_once( __DIR__ . '/remote-proxy-ips.php' );

    require_once( $proxy_lib );

    Automattic\VIP\Proxy\fix_remote_address(

        $_SERVER['HTTP_TRUE_CLIENT_IP'],

        $_SERVER['HTTP_X_FORWARDED_FOR'],

        MY_PROXY_IP_ALLOW_LIST

        );

}

This verification method uses the VIP function fix_remote_address() which is necessary for the true IP Address of the end user to be received. Without this function, it is likely that any instances of $_SERVER['REMOTE_ADDR'] in the site’s codebase will incorrectly return the IP address of the reverse proxy rather than the end user. This can cause unexpected results from application code that is expecting the IP of the end user.

Last updated: January 05, 2024

Relevant to

  • Node.js
  • WordPress