.. meta::
   :description: Learn how to use forward client IP address when
                 ThinLinc Web Access or ThinLinc Web Admninistration
                 is used behind a reverse proxy.

.. _forwarding_client_ip:

Forwarding client IP addresses
------------------------------

When ThinLinc is run behind a reverse proxy, all incoming connections
originate from the proxy server’s IP address. This prevents ThinLinc
from identifying the original client. To solve this, ThinLinc supports
the :file:`X-Forwarded-For` HTTP header. Most proxies can be configured
to add this header, which passes the original client IP along with the
request.

To use this feature, you must tell ThinLinc which proxies to trust by
populating the :servconf:`/webaccess/trusted_proxies` parameter with
your proxy’s IP address. ThinLinc will only accept the
:file:`X-Forwarded-For` header from these trusted sources.

When one or more trusted proxies are configured, the server will scan
the :file:`X-Forwarded-For` header to find the connecting client’s true
IP address. The search stops when an untrusted address is found, and
this becomes the new client address.

.. warning::

   Do not configure trusted proxies if you are not absolutely sure that all
   listed proxies can be trusted (i.e., are controlled by you) and are
   correctly configured. Otherwise, your system may be susceptible to
   spoofing attacks.
