Many customers ask us if we support the use of reverse proxies on our system at WP Engine. The answer can sometimes be complex and situational. In the situations where reverse proxy is supported, there are often extra configuration steps needed. In this article we explain which reverse proxy situations are supported, and which are not.
What is a reverse proxy?
A reverse proxy is a web server that sits in front of the server hosting your website content, to offload static resources, pass only specific requests to your server, or to serve as a firewall for security purposes. There are many reasons why you might use a reverse proxy setup. Before we continue though, we should explain that WP Engine actually uses reverse proxy on your server itself.
WP Engine uses a dual-web-server setup: Nginx works as a traffic director to receive all requests to your web server. It quickly and easily serves all static files: images, CSS, JavaScript, and so on. It also determines whether a page exists in our page caching layer (EverCache). If a cached version of the page exists, it is served up to the end user of your website quickly. If a cached version does not exist, Nginx reverse-proxies the request to be processed by our backend PHP processing system.
In this way, Nginx and EverCache both behave as reverse proxies on your WP Engine environment.
Additionally, WP Engine offers CDN services. CDN takes the reverse proxy a step further, and distributes your static files (images, CSS, JavaScript) across a network of global servers for faster access around the world. In this way, only full page requests make it back to the WP Engine server system in the first place.
With that in mind, users who wish to use CDN (Akamai, Fastly) as a reverse proxy may already find this at WP Engine without needing third-party services.
Using reverse proxy for Firewall, CDN, or Load Balancing services
Some services like Akamai, CloudFront, Sucuri WAF, and Fastly offer CDN (content delivery network), Security firewall, or load balancing by sending requests through their 3rd party servers and then proxying uncached page requests back to WP Engine.
Because WP Engine already load balances and uses reverse-proxy to manage cached/uncached pages, many times these services are not needed on top of our own system. However, if your team does choose to configure these services, you will need to configure the proxy service to point to your WP Engine servers. Our WP Engine Support team is not able to assist with configuring these settings. This is because adding a reverse proxy creates a layer of abstraction which prevents us from checking to see if the settings were properly configured.
Forwarding real IP addresses
Additionally, when configuring these services, to our servers it appears as though all traffic is coming from a single IP address (or a single range of IP addresses). This means if there are any bad actors sending abusive traffic, it appears that the IP address(es) of the proxy service is the abuser. This may cause it to be blocked. With that in mind, we strongly suggest you enable settings to forward the actual IP addresses of your users to WP Engine in a header (most often an X-Forwarded-For or True-Client-IP header).
Once this setting is configured, please contact WP Engine Support to request we enable the interpretation of X-Forwarded-For/True-Client-IP headers for your website, and provide us a supported IP address (or range of IP addresses) to whitelist for these headers–this will be the IP address your reverse proxy service is using to send traffic to WP Engine. Enabling this setting allows us to block the true bad actors on your website where applicable, rather than blocking the entire proxy service. Please note: If your reverse proxy service uses randomized IP addresses, we will have to accept these headers from any IP address, which is less secure.
Unsupported: Reverse proxy to serve WordPress in a subdirectory
While reverse proxy is able to be used in the scenarios outlined above, there is one scenario in which reverse proxy cannot be used: to serve WordPress from a subdirectory of your domain. (e.g. mydomain.com/wordpress or mydomain.com/blog).
Our platform tools like backups, site configurations, copying, and domain mapping all require your domain to be served from the root of your WordPress site, and not under a specific sub-directory. With that in mind, we do not support reverse proxy when specifically used to send traffic for a subdirectory to WP Engine. Read more about serving WordPress from a subdirectory.
However, if you wish to serve your WordPress website out of a subdomain this works just fine with our server setup. (e.g. wordpress.mydomain.com or blog.mydomain.com). We encourage users whose root domain is not using WordPress to host the WordPress portion using a subdomain if possible.
If your plan allows, you may use WordPress Multisite with a subdirectory structure if you prefer. However, we would not recommend using WordPress Multisite as a means to accomplish the scenario outlined above. WordPress Multisite is best used when your root domain is hosted at WP Engine, as the primary site in your Multisite.