Using a Reverse Proxy with WP Engine
Many customers ask us if we support the use of reverse proxies on our system at WP Engine. The answer can sometimes be complex and situational. In the situations where reverse proxy is supported, there are often extra configuration steps needed. In this article we explain which reverse proxy situations are supported, and which are not.
About Reverse Proxy
A reverse proxy is a web server that sits in front of the server hosting your website content. A reverse proxy is often configured to offload static resources, pass only specific requests to your server, or to serve as a firewall for security purposes. There are many reasons why you might use a reverse proxy setup. Before we continue though, we should explain that WP Engine already uses reverse proxy on your server itself.
In this way, Nginx and page cache both behave as reverse proxies on your WP Engine environment.
(Supported) Firewall, CDN, or Load Balancing
Some services like Akamai, CloudFront, Sucuri WAF, and Fastly offer CDN, Security firewall, or load balancing by sending requests through their 3rd party servers and then proxying uncached page requests back to WP Engine.
WP Engine already load balances and uses reverse-proxy to manage cached/uncached pages, so many times these services are not needed on top of our own system. If your team does choose to configure these services, you will need to configure the proxy service to point to your WP Engine servers.
Our WP Engine Support team is not able to assist with configuring these settings. This is because adding a reverse proxy creates a layer of abstraction which prevents us from checking to see if the settings were properly configured.
Forward Real IP Addresses
To WP Engine servers it appears as though all traffic is coming from a single IP address (or a single range of IP addresses) when you configure a reverse proxy. This means if there are any bad actors sending abusive traffic, it appears that the IP address(es) of the proxy service is the abuser, which could cause it to be blocked. This will typically result in a 403 error or any number of other errors, depending on the service.
With that in mind, we strongly suggest you enable settings to forward the actual IP addresses of your users to WP Engine in a header. Most often an
True-Client-IP headers are used.
Once this setting is configured, please contact WP Engine Support to request we enable the interpretation of
True-Client-IP headers for your website, and provide us a supported IP address (or range of IP addresses) to whitelist for these headers. This will be the IP address your reverse proxy service is using to send traffic to WP Engine.
Enabling this setting allows us to block the true bad actors on your website where applicable, rather than blocking the entire proxy service.
(Unsupported) Serve WordPress in a subdirectory
While reverse proxy is able to be used in the scenarios outlined above, there is one scenario in which reverse proxy cannot be used: to serve WordPress from a subdirectory of your domain. EX:
Our platform tools like backups, site configurations, copying, and domain mapping all require your domain to be served from the root of your WordPress site, and not under a specific sub-directory. With that in mind, we do not support reverse proxy when specifically used to send traffic for a subdirectory to WP Engine.
However, if you wish to serve your WordPress website out of a subdomain this works just fine with our server setup. (e.g.
blog.mydomain.com). We encourage users whose root domain is not using WordPress to host the WordPress portion using a subdomain if possible.
If your plan allows, you may use WordPress Multisite with a subdirectory structure if you prefer. However, we would not recommend using WordPress Multisite as a means to accomplish the scenario outlined above. WordPress Multisite is best used when your root domain is hosted at WP Engine as the primary site in your Multisite network.