Finding the IP address of your visitors

When you create an account on we give you lots of powerful tools to improve your website’s performance and security. There are great charts showing how many requests are being served and what is being done to them. You can dig into the logs and see how each request flows through and what happens to it.

However, it is important to remember that at our core, we are providing a reverse-proxy service, that is, we handle HTTP requests on behalf of your website. This also means that any request that doesn’t get cached, redirected or blocked will eventually be passed back to your website. AKA The Origin.

When your first setup your site on we resolve the DNS of the hostname you enter and set that as the origin address. This origin address is stored in a JSON file in the root of the git repository for your application. We have documentation on how to view and change the origin address that we point at.

Who is connecting to my site?

Often you want to know the IP address of who is viewing your site. Possibly to know where they are in the world using Geo-IP or to do fraud detection. Once you change your website’s DNS to point at every request for your website will pass through our servers before going to your site. This means that from your website’s perspective all requests will be coming from us. This means that the usual way of finding the IP address of the visitors to your site won’t work. Usually you would get the requesting IP address. In PHP this would be $_SERVER['REMOTE_ADDR'] or in ruby it’s request.env['REMOTE_ADDR']. in .NET it’s HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]. All of these values are the IP address of the computer that is connecting to your site. Once you put in front of your site, that IP address will be one of our servers, which is not very helpful in this case.

So what to do?

x-forwarded-for to the rescue! When a HTTP request comes from to your website it will have an additional request header: x-forwarded-for. The value of this request header will be the IP address of the computer that connected to This is the address that would have been in $_SERVER['REMOTE_ADDR'] previously.

This means that if you’re writing code on your site to check the IP address of your visitors, always check the x-forwarded-for header before looking at the remote address value. If you’ve got a Magento site that has a plugin doing geo-ip features, make sure it uses the x-forwarded-for value. And if your payment gateway does fraud detection based on an IP address, check that the gateway will use the x-forwarded-for header .

The x-forwarded-for header is a useful tool to allow you to still have visibility of who is viewing your site while still getting all the benefits of a powerful reverse-proxy service like

Blog Categories

Interested in articles about a specific topic? Click on a category to see all related content. Sign up

Want to get started improving your website performance, scalability, and security? Sign up for a 14 day free trial of and see what we can do for you!

Get started