From 8bcefd474faf3eba1ab3dad0208fba279344fe00 Mon Sep 17 00:00:00 2001 From: Yuri Salimovskiy Date: Fri, 30 Jun 2023 12:17:25 +0300 Subject: [PATCH 1/4] docs on using reverse proxy / load balancers --- docs/config/config-files.md | 8 ++++++++ docs/general/system-configuration-overrides.md | 1 + docs/optimization/handling-extreme-traffic.md | 6 ++++++ 3 files changed, 15 insertions(+) diff --git a/docs/config/config-files.md b/docs/config/config-files.md index f2454ca98..a7f76858b 100644 --- a/docs/config/config-files.md +++ b/docs/config/config-files.md @@ -37,6 +37,14 @@ These are the mime types that are allowed to be uploaded using the upload class. The mime types are grouped by file type. You can add the allowed mime types directly or you can add new file types containing miltiple mimes. +#### Reverse Proxy IP addresses + +`proxy.php` + +If the server is behind reverse proxy or load balancer, the system would need special configuration to discover user's real IP address. If the IP address as passed in by server matches value or range specificed in this configuration file, the system will start looking into headers to determine real IP address, as forwarded by proxy/balancer. + +Please consult with provider of your reverse proxy or load balancing solutions for the IP addresses or ranges to use. Some providers would let you know the exact IP address of load balancer, while others would give you a range. Here are the links with information for some common providers: [CloudFlare](https://www.cloudflare.com/ips/), [Google Cloud](https://cloud.google.com/load-balancing/docs/https/#firewall_rules), [AWS Elastic](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html) + #### 'Remember me' expiration `remember.php` diff --git a/docs/general/system-configuration-overrides.md b/docs/general/system-configuration-overrides.md index e1fc3fa95..3884e03ba 100755 --- a/docs/general/system-configuration-overrides.md +++ b/docs/general/system-configuration-overrides.md @@ -2199,6 +2199,7 @@ Example Usage: ### `proxy_ips` Allow list of reverse proxy servers that may forward the visitor's IP address. +DEPRECATED. Use [`proxy.php` config file](config/config-files.md#reverse-proxy-ip-addresses) instead. | Value | Description | | ------------ | ------------------------------------ | diff --git a/docs/optimization/handling-extreme-traffic.md b/docs/optimization/handling-extreme-traffic.md index 076919090..843ee3c90 100755 --- a/docs/optimization/handling-extreme-traffic.md +++ b/docs/optimization/handling-extreme-traffic.md @@ -54,3 +54,9 @@ These can be disabled in your Control Panel [Tracking Preferences](control-panel ExpressionEngine's caching mechanisms can help reduce database load in most situations. However if you use file-based caching, that may transfer some of the resources saved from the database server to the web server. Thus, it is recommended that you use either the Memcached or Redis [caching driver](optimization/caching.md#caching-drivers) instead of the file driver, especially on high-traffic sites. The increased disk i/o from file caches being created and destroyed during a high traffic event consumes significantly more server resources than the memory-based caching drivers. If you are running in a PHP environment without Opcode caching, [saving templates as files](general/system-configuration-overrides.md#save_tmpl_files) can marginally increase disk i/o as each template must be retrieved from disk. We recommend running PHP 7 or greater so that this type of file activity is managed better by the server. + +## Using Load Balancers + +Using load balancer or reverse proxy server is popular solution to mitigare DDoS attacks and make handling high traffic easier. + +When the server is placed behind reverse proxy or load balancer, ExpressionEngine in default configuration might not know the user's real IP address because it would be substituted with the proxy IP address. Most of the proxies however would send the real user's IP in some HTTP headers. In order to use the data in those headers to obtain the real user IP address, you need to configure the system to make it aware of the list of trusted proxy IP addresses or ranges. This can be done using [`proxy.php` configuration file](config/config-files.md#reverse-proxy-ip-addresses). \ No newline at end of file From a8644ac070eb73bfd8229cf74e04d1b9c3de34a6 Mon Sep 17 00:00:00 2001 From: Bryan Nielsen Date: Thu, 8 Feb 2024 12:41:49 -0500 Subject: [PATCH 2/4] Update config-files.md --- docs/config/config-files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/config/config-files.md b/docs/config/config-files.md index a7f76858b..8c239cec2 100644 --- a/docs/config/config-files.md +++ b/docs/config/config-files.md @@ -41,7 +41,7 @@ The mime types are grouped by file type. You can add the allowed mime types dire `proxy.php` -If the server is behind reverse proxy or load balancer, the system would need special configuration to discover user's real IP address. If the IP address as passed in by server matches value or range specificed in this configuration file, the system will start looking into headers to determine real IP address, as forwarded by proxy/balancer. +If the server is behind a reverse proxy or load balancer the system will need special configuration to discover a user's real IP address. If the IP address passed along by the server matches a value or range specificed in this configuration file the system will look at the request headers to determine the real IP address. Please consult with provider of your reverse proxy or load balancing solutions for the IP addresses or ranges to use. Some providers would let you know the exact IP address of load balancer, while others would give you a range. Here are the links with information for some common providers: [CloudFlare](https://www.cloudflare.com/ips/), [Google Cloud](https://cloud.google.com/load-balancing/docs/https/#firewall_rules), [AWS Elastic](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html) From ec747344979d5f3cbc9dbf5157445c8d59710815 Mon Sep 17 00:00:00 2001 From: Bryan Nielsen Date: Thu, 8 Feb 2024 12:42:45 -0500 Subject: [PATCH 3/4] Update config-files.md --- docs/config/config-files.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/config/config-files.md b/docs/config/config-files.md index 8c239cec2..b70aa6855 100644 --- a/docs/config/config-files.md +++ b/docs/config/config-files.md @@ -43,7 +43,7 @@ The mime types are grouped by file type. You can add the allowed mime types dire If the server is behind a reverse proxy or load balancer the system will need special configuration to discover a user's real IP address. If the IP address passed along by the server matches a value or range specificed in this configuration file the system will look at the request headers to determine the real IP address. -Please consult with provider of your reverse proxy or load balancing solutions for the IP addresses or ranges to use. Some providers would let you know the exact IP address of load balancer, while others would give you a range. Here are the links with information for some common providers: [CloudFlare](https://www.cloudflare.com/ips/), [Google Cloud](https://cloud.google.com/load-balancing/docs/https/#firewall_rules), [AWS Elastic](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html) +Please consult with the provider of your reverse proxy or load balancing solutions for the IP addresses or ranges to use. Some providers will let you know the exact IP address of the load balancer, while others will give you a range. Here are the links with information for some common providers: [CloudFlare](https://www.cloudflare.com/ips/), [Google Cloud](https://cloud.google.com/load-balancing/docs/https/#firewall_rules), [AWS Elastic](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/network-load-balancers.html) #### 'Remember me' expiration From 0eb5477e8ea9c55de9d1619c90429a49ce6abc05 Mon Sep 17 00:00:00 2001 From: Bryan Nielsen Date: Thu, 8 Feb 2024 12:48:20 -0500 Subject: [PATCH 4/4] Update handling-extreme-traffic.md --- docs/optimization/handling-extreme-traffic.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/optimization/handling-extreme-traffic.md b/docs/optimization/handling-extreme-traffic.md index 843ee3c90..f2ff5c937 100755 --- a/docs/optimization/handling-extreme-traffic.md +++ b/docs/optimization/handling-extreme-traffic.md @@ -57,6 +57,6 @@ If you are running in a PHP environment without Opcode caching, [saving template ## Using Load Balancers -Using load balancer or reverse proxy server is popular solution to mitigare DDoS attacks and make handling high traffic easier. +Using a load balancer or reverse proxy is a popular solution to mitigate DDoS attacks and make handling large amounts of traffic easier. -When the server is placed behind reverse proxy or load balancer, ExpressionEngine in default configuration might not know the user's real IP address because it would be substituted with the proxy IP address. Most of the proxies however would send the real user's IP in some HTTP headers. In order to use the data in those headers to obtain the real user IP address, you need to configure the system to make it aware of the list of trusted proxy IP addresses or ranges. This can be done using [`proxy.php` configuration file](config/config-files.md#reverse-proxy-ip-addresses). \ No newline at end of file +When a server is placed behind a reverse proxy or load balancer ExpressionEngine might not know the user's real IP address because it would be substituted with the proxy's IP address. Most proxies however will preserve the real user's IP address and forward it through a request header. In order to use the data in those headers to obtain the real user's IP address you need to configure the system to recognize and trust the proxy IP addresses. This can be done using the [`proxy.php` configuration file](config/config-files.md#reverse-proxy-ip-addresses).