Reverse Proxies¶
Overview¶
In some environments, Vinyl may be deployed behind a reverse proxy. The reverse proxy can mask details about the client connection, including the source IP address and whether or not the connection is secure. Usually, proxy servers preserve the pertinent information in custom HTTP headers. The de facto standard for this is X-Forwarded-For and related headers.
When configured appropriately, Vinyl can extract details about the original connection from custom HTTP headers. This requires manually adding application settings to the Web.config file in the Vinyl root directory. Since each proxy server is different, and custom HTTP headers can be forged, these settings are not configured by default.
Settings¶
| Name | Description | Example |
|---|---|---|
| ForwardedClientIpHeader | Client IP address. | X-Forwarded-For |
| ForwardedSchemeHeader | Client connection scheme (e.g. HTTP or HTTPS). | X-Forwarded-Proto |
| ForwardedHostHeader | Client connection host and optional port number | X-Forwarded-Host |
| ForwardedPortHeader | Client connection port number (e.g. 80 or 443) | X-Forwarded-Port |
Example Configuration¶
{
"ReverseProxy": {
"ForwardedClientIpHeader": "X-Forwarded-For",
"ForwardedSchemeHeader": "X-Forwarded-Proto",
"ForwardedHostHeader": "X-Forwarded-Host",
"ForwardedPortHeader": "X-Forwarded-Port"
}
}
Amazon Web Services¶
In an Amazon Elastic Beanstalk environment, Elastic Load Balancers (ELBs) function as reverse proxies, terminating HTTPS connections. ELBs support the X-Forwarded-* headers. When deployed within an Elastic Beanstalk environment, Vinyl will be configured automatically using Elastic Beanstalk environment properties.