Reverse Proxies and VIP Go

VIP Go platform specific

This document is for sites running on VIP Go.

Learn more

Overview #

The speed and utility of the VIP Go edge cache service will cover many scenarios; however if you do wish to use a reverse proxy to cover a particular use case, we will be happy to discuss your situation and advise you.

There are some provisions you will need to make when you deploy a reverse proxy in front of VIP Go, to ensure that your application code and our platform functionality continues working as expected. Not making these provisions can result in side effects such as valid users being blocked at login.

↑ Top ↑

Terms #

  • End User: the person (or bot) which has requested a resource from your VIP Go hosted WordPress site.
  • Reverse Proxy: a service which sits between the end user and the VIP Go service, either passing requests through, intervening in requests, caching requests, or all three. Akamai and Cloudflare are examples of reverse proxy services you may have heard of.

↑ Top ↑

Considerations #

Performance and simplicity of support #

We recognize that for some requirements it is necessary to employ a reverse proxy, however it is also true that adding a reverse proxy is likely to decrease performance by some measure and also to increase the complexity of supporting the site to a degree.

Performance degradation is likely in several ways, for example:

  • Reverse proxies inherently add at least one hop to the network path for a request (i.e. from the proxy to VIP Go).
  • If the reverse proxy does not provide a globally distributed network of caching proxies (VIP Go does provide such a network) then it is likely that at least some of your site’s users will be routed suboptimally, increasing the time it takes for your pages to load.
  • Complexity is increased because the reverse proxy adds an additional layer of functionality to debug any issues, and because the WordPress.com VIP support team do not have direct control of the proxy meaning we may need to communicate with the reverse proxy provider.

We’re happy to help you weigh the benefits of using a reverse proxy, and we already support many sites which use this functionality to support their business requirements. Please do contact us to talk through your use cases, and we’ll be happy to help.

↑ Top ↑

What we need from you (or your reverse proxy provider) #

Our preferred method of implementing a reverse proxy setup is as follows:

  • The reverse proxy should set a True-Client-IP HTTP request headers with the IP of the end user
  • The reverse proxy should set an X-VIP-Proxy-Verification header with an agreed secret string as the value (contact us to agree on and set this string)
  • The reverse proxy should direct traffic to a domain mapped to the environment being proxied to, and not a .go-vip.co domain.

↑ Top ↑

Correcting the remote IP address #

VIP Go allows more securely forwarding the end user’s IP address when there is a reverse proxy in play.

Example setup: User => Remote Proxy (e.g. Cloudflare) => VIP Go Edge Cache => Application (PHP/WP)

We need to ensure that the Application (i.e. WordPress, WordPress plugins, etc) is passed the IP Address for the End User, rather than the IP Address for the Reverse Proxy. To accomplish this, a HTTP request header must be sent containing just the end user’s IP address, e.g. True-Client-IP ($_SERVER['HTTP_TRUE_CLIENT_IP']).

Sending the VIP-PROXY-VERIFICATION header along with TRUE-CLIENT-IP from the proxy will allow us to verify the reverse proxy server via the secret key previously shared with us and saved in the site’s configuration on our end. The following code must then be used in the site’s vip-config.php file:

$proxy_lib = ABSPATH . '/wp-content/mu-plugins/lib/proxy/ip-forward.php';
if ( ! empty( $_SERVER['HTTP_TRUE_CLIENT_IP'] )
	&& ! empty( $_SERVER['HTTP_X_VIP_PROXY_VERIFICATION'] )
	&& file_exists( $proxy_lib ) ) {
	require_once( $proxy_lib );
	Automattic\VIP\Proxy\fix_remote_address_with_verification_key(
		$_SERVER['HTTP_TRUE_CLIENT_IP'],
		$_SERVER['HTTP_X_VIP_PROXY_VERIFICATION']
	);
}

 

↑ Top ↑

Alternate implementations #

If a VIP-PROXY-VERIFICATION header cannot be set, the proxy can be verified by using an IP whitelist and passing the client IP in the header True-Client-IP. Please note that the whitelist must be kept up to date.

This implementation assumes a file vip-config/remote-proxy-ips.php, which contains an array of proxy IP addresses. The contents of the file should be similar to the example below:

<?php
// A constant defining an array of whitelisted IP addresses and/or CIDRs
// which equate to the possible IP addresses of your Remote Proxy
define( 'MY_PROXY_IP_WHITELIST', [
	'1.2.3.4/20',
	'5.6.7.8/20',
	'2.3.4.5',
] );

The IPs can be provided as fully qualified IPv4 or IPv6 addresses, or in CIDR notation.

Then, the following code checks the Reverse Proxy’s IP address matches the whitelist, extracts the end user’s IP address from True-Client-IP, and forwards the End User’s real IP address as REMOTE_ADDR:

$proxy_lib = ABSPATH . '/wp-content/mu-plugins/lib/proxy/ip-forward.php'; 
if ( ! empty( $_SERVER['HTTP_TRUE_CLIENT_IP'] ) &amp;&amp; file_exists( $proxy_lib ) ) { 
    require_once( __DIR__ . '/remote-proxy-ips.php' ); 
    require_once( $proxy_lib ); 

    Automattic\VIP\Proxy\fix_remote_address( 
        $_SERVER['HTTP_TRUE_CLIENT_IP'], 
        $_SERVER['HTTP_X_FORWARDED_FOR'],
        MY_PROXY_IP_WHITELIST 
        ); 
} 

 

Ready to get started?

Drop us a note.

No matter where you are in the planning process, we’re happy to help, and we’re actual humans here on the other side of the form. 👋 We’re here to discuss your challenges and plans, evaluate your existing resources or a potential partner, or even make some initial recommendations. And, of course, we’re here to help any time you’re in the market for some robust WordPress awesomeness.