Client IP - Ferron 2 documentation

Client IP

If Ferron runs behind another proxy/load balancer, the direct peer address may be the proxy, not the real user IP. Configure trusted forwarding so logging, access control, and rate limiting use client IPs correctly.

Behind HTTP reverse proxies (X-Forwarded-For)

// Replace "example.com" with your domain name.
example.com {
    trust_x_forwarded_for
    proxy "http://127.0.0.1:3000/"
}

Use this when the upstream proxy sets X-Forwarded-For.

Behind L4 load balancers (PROXY protocol)

globals {
    protocol_proxy
}

example.com {
    proxy "http://127.0.0.1:3000/"
}

Use this when your front load balancer sends PROXY protocol headers.

Pass normalized client IP to upstream apps

example.com {
    proxy "http://127.0.0.1:3000/"
    proxy_request_header_replace "X-Real-IP" "{client_ip_canonical}"
}

Notes and troubleshooting

Enable trust_x_forwarded_for only when traffic is coming through a trusted proxy path.
Enable protocol_proxy only when your frontend actually sends PROXY protocol headers.
Validate behavior using access logs before relying on IP-based allow, block, or limit policies.
For directive details, see Configuration: security & TLS, Configuration: core directives, and Configuration: reverse proxying.