Request header verification method

The request header verification method is the recommended method for verifying that requests to a site were made via the configured reverse proxy.

Successfully configuring the request header verification method also ensures that the IP address of an end user—sent by the reverse proxy as the True-Client-IP value—is correctly logged. When correctly configured, the IP address of an end user will also be properly set as PHP’s $_SERVER['REMOTE_ADDR'] global variable value instead of the reverse proxy’s IP address.

Failure to configure request verification from the reverse proxy for a site can limit VIP’s ability to provide support for specific issues, impede troubleshooting, and potentially break functionality of themes, plugins, and VIP Platform security features that rely on IP addresses.

Requirements

• The domain and URL structure of the VIP site must match incoming requests. For example, if a user requests example.com/blog, the resource on VIP should be available at example.com/blog.

• The reverse proxy should set a True-Client-IP Incoming HTTP request header with the IP of the end-user.
• The reverse proxy should set X-VIP-Proxy-Verification as an Incoming request header, not Outgoing.

Configuration

To configure the request header verification method, a user must have access to both the dashboard of the reverse proxy provider as well as write access to the VIP application’s GitHub repository.

1. Generate a 40-character (or more) alphanumeric secret string.
2. In the settings dashboard of the reverse proxy provider: Set the secret string as the X-VIP-Proxy-Verification Incoming request header value.
3. Create a VIP Support ticket to notify VIP that the secret string has been generated for a reverse proxy. Supply the secret string with an application designed for sending sensitive information securely, like QuickForget.com, by Automattic. Under no circumstances should the secret string value be supplied in the VIP Support ticket.
4. In the application’s codebase: Add the code snippet shown below to vip-config.php.

$proxy_lib = ABSPATH . '/wp-content/mu-plugins/lib/proxy/ip-forward.php';

if ( ! empty( $_SERVER['HTTP_TRUE_CLIENT_IP'] )

    && ! empty( $_SERVER['HTTP_X_VIP_PROXY_VERIFICATION'] )

    && file_exists( $proxy_lib ) ) {

    require_once $proxy_lib;

// phpcs:disable WordPress.Security.ValidatedSanitizedInput.InputNotSanitized — Validated in the function call.

    Automattic\VIP\Proxy\fix_remote_address_with_verification_key(

        $_SERVER['HTTP_TRUE_CLIENT_IP'],

        $_SERVER['HTTP_X_VIP_PROXY_VERIFICATION']

    );

// phpcs:enable

}

This verification method uses the VIP function fix_remote_address_with_verification_key() which is necessary for the true IP Address of the end user to be received. Without this function, it is likely that any instances of $_SERVER['REMOTE_ADDR'] in the site’s codebase will incorrectly return the IP address of the reverse proxy rather than the end user. This can cause unexpected results from application code that is expecting the IP of the end user.

Custom HTTP request headers can be sent to assist with the process of testing a reverse proxy configuration. VIP will not reject these requests.