How to Configure Trusted Proxies

How to configure Trusted Proxies in the Webscale Control Panel

Add trusted proxies in the Webscale control panel to add the X-Forwarded-For header to HTTP requests coming from those proxies. You do not have to provide any address sets for trusted proxies. If none are added, it creates a zero-trust environment that results in the X-Forwarded-For header being stripped and the peer address used as the client address.

What address sets should be trusted?

If the peer address of an incoming request is contained in one of the address sets, then the X-Forwarded-For header is decoded so that the request is treated as coming from the rightmost address that is not contained in any of the address sets.

For example, if Trusted Proxies is configured such that it allows 4.5.6.0/24 (that IP address is within a trusted address set) and the request originates from 4.5.6.7 with X-Forwarded-For: 1.2.3.4, 4.5.6.3, then the request will be treated as though it came from 1.2.3.4. More details about the X-Forwarded-For header can found on the Mozilla Developer Docs.

Trusted Proxies Only

If Trusted Proxies Only is enabled, then only Pingdom, the control address, and any proxies added here can access the application. Any other traffic from the internet will be dropped. This setting can add an additional layer of security to your application if you want all traffic to only come from a proxy service such as Cloudflare.

Trusted Proxies Header

This option changes the header used for Trusted Proxies. The choices are:

  • X-Forwarded-For (default): The usual header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.
  • True-Client-IP: Services such as Cloudflare and Akamai send this header to identify the IP address of the requester.
  • Custom: Input your own custom HTTP header here.

Further Reading

Have questions not answered here? Please Contact Support to get more help.


Last modified May 28, 2020