Find the real user IP from behind a proxy

Your WordPress might be installed behind a proxy, whether it is a load balancer, caching server (varnish), or just use a lighter server as a front end to the main one (nginx as a reverse proxy to apache). In all of those configurations Information like the IP address of the user is not available to the PHP layer on which WordPress runs, and therefor not available to WordPress itself.

Why should you care? the lack of this information prevent you from taking actions based on IP address or general geographical profiling, and might hurt plugins that depend on knowing the true IP address like anti spam and login rate limiters.. When you are behind a proxy you can’t see the “true” ip address of the commenters, or block access to the login based on IP.

This plugin populates the relevant information in the php level based on the information that the proxies thru which the request had traveled had added to the request. The values reported to PHP by the webserver indicating the user’s  IP address ($_SERVER[‘REMOTE_ADDR’]) will be replaced by values reported by the proxies indicating the original IP. In a similar way the variable indication the usage of https protocol – $_SERVER[‘HTTPS’] will be set appropriately.

The main problem with the process is that the values reported by the proxies can be spoofed, resulting in wrong result. To overcome this, you need to configure the plugin to let it know which proxies should be trusted and the information sent by the others will simply be ignored. For that you will need to know the IP address of your most external proxy and anything between it and the webserver will be trusted.

No CDN support

The way CDNs work, having many server around the world, prevent the identification of a “most external proxy” and therefor it is impossible to establish which proxies to trust.

At this point in time the plugin is just not designed to more then one “trusted”  external server.

Technical details

The code inspects the X-FORWARDED-FOR http header and traverse the list of proxies mentioned in it to find the “forwarded for” address that the “trusted proxy” had reported. If one is found the $_SERVER[‘REMOTE_ADDR’] is set to it, $_SERVER[‘HTTP_X_FORWARDED_FOR’] is being unset, and if X-FORWARDED-PROTO header contains https then $_SERVER[‘HTTPS’] is set to “on”.
If the trusted proxy is not found then nothing is being done.

Settings

For standalone installs, the trusted proxy address can be set in Settings >> General, in the “Proxy IP” input. The plugin will try to suggest addresses based on the information that can be retrieved from the request that was used when accessing that page.

Another way to configure the trusted proxy IP is to add a define for MK_FRI_PROXY_IP in your wp-config.php that specifies it like

define('MK_FRI_PROXY_IP', '::1');

This can be used both at a standalone and network installs.

Important: The plugin to do try to detect duplicated addresses and for it 127.0.0.1, ::1, and localhost are different addresses. You should use what the proxies will see. For example while a load balancer might have an 23.24.25.26 address by which it is known to the wide world, internally it might be identified as 10.0.0.23, and for this plugin the internal identification is required.

Compatibility

WordPress 3.9 and above. Compatible to both standalone and multisite/network, but in a network only the wp-config.php based configuration is available.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment policy

We are not going to share your e-mail with anyone else, but we might send you answers to your questions directly to your email.