Using a Reverse Proxy with WP Engine
Many customers ask us if we support the use of reverse proxies on our system at WP Engine. The answer can sometimes be complex and situational. In the situations where reverse proxy is supported, there are often extra configuration steps needed. In this article we explain which reverse proxy situations are supported, and which are not.
About Reverse Proxy
A reverse proxy is a web server that sits in front of the server hosting your website content and is often configured to offload static resources, pass only specific requests to your server, or to serve as a firewall for security purposes. There are many reasons why you might use a reverse proxy setup. Before we continue though, we should explain that WP Engine already uses reverse proxy on your server itself.
WP Engine uses a dual-web-server setup: Nginx works as a traffic director to receive all requests to your web server. It quickly and easily serves all static files: images, CSS, JavaScript, and so on. It also determines whether a page exists in our page caching layer. If a cached version of the page exists, it is served up to the end user of your website quickly. If a cached version does not exist, Nginx reverse-proxies the request to be processed by our backend PHP processing system.
In this way, Nginx and page cache both behave as reverse proxies on your WP Engine environment.
Additionally, WP Engine offers CDN services. CDN takes the reverse proxy a step further, and distributes your static files (images, CSS, JavaScript) across a network of global servers for faster access around the world. In this way, only full page requests make it back to the WP Engine server system in the first place.
With that in mind, users who wish to use CDN (Akamai, Fastly) as a reverse proxy may already find this at WP Engine without needing third-party services.
(Supported) Firewall, CDN, or Load Balancing
Some services like Akamai, CloudFront, Sucuri WAF, and Fastly offer CDN, Security firewall, or load balancing by sending requests through their 3rd party servers and then proxying uncached page requests back to WP Engine.
WP Engine already load balances and uses reverse-proxy to manage cached/uncached pages, so many times these services are not needed on top of our own system. If your team does choose to configure these services, you will need to configure the proxy service to point to your WP Engine servers.
Our WP Engine Support team is not able to assist with configuring these settings. This is because adding a reverse proxy creates a layer of abstraction which prevents us from checking to see if the settings were properly configured.
Forward Real IP Addresses
To WP Engine servers it appears as though all traffic is coming from a single IP address (or a single range of IP addresses) when you configure a reverse proxy. This means if there are any bad actors sending abusive traffic, it appears that the IP address(es) of the proxy service is the abuser, which could cause it to be denied. This will typically result in a 403 error or any number of other errors, depending on the service.
With that in mind, we strongly suggest you enable settings to forward the actual IP addresses of your users to WP Engine in a header. Most often an X-Forwarded-For
or True-Client-IP
headers are used.
Once this setting is configured, please contact WP Engine Support to request we enable the interpretation of X-Forwarded-Fo
r/True-Client-IP
headers for your website, and provide us a supported IP address (or range of IP addresses) to allow for these headers. This will be the IP address your reverse proxy service is using to send traffic to WP Engine.
Enabling this setting allows us to deny the true bad actors on your website where applicable, rather than denying the entire proxy service.
NOTE: If your reverse proxy service uses randomized IP addresses, we will have to accept these headers from all IP addresses, which is much less secure and not recommended.
(Unsupported) Serve WordPress in a subdirectory
While reverse proxy is able to be used in the scenarios outlined above, there is one scenario in which reverse proxy cannot be used: to serve WordPress from a subdirectory of your domain. EX: mydomain.com/wordpress
or mydomain.com/blog
Our platform tools like backups, site configurations, copying, and domain mapping all require your domain to be served from the root of your WordPress site, and not under a specific sub-directory. With that in mind, we do not support reverse proxy when specifically used to send traffic for a subdirectory to WP Engine.
Read more about serving WordPress from a subdirectory, such as /blog.
However, if you wish to serve your WordPress website out of a subdomain this works just fine with our server setup. (e.g. wordpress.mydomain.com
or blog.mydomain.com
). We encourage users whose root domain is not using WordPress to host the WordPress portion using a subdomain if possible.
If your plan allows, you may use WordPress Multisite with a subdirectory structure if you prefer. However, we would not recommend using WordPress Multisite as a means to accomplish the scenario outlined above. WordPress Multisite is best used when your root domain is hosted at WP Engine as the primary site in your Multisite network.
NEXT STEP: Learn more about hosting a website in a subdirectory