Forwarding client IP addresses

When ThinLinc is run behind a reverse proxy, all incoming connections originate from the proxy server’s IP address. This prevents ThinLinc from identifying the original client. To solve this, ThinLinc supports the X-Forwarded-For HTTP header. Most proxies can be configured to add this header, which passes the original client IP along with the request.

To use this feature, you must tell ThinLinc which proxies to trust by populating the /webaccess/trusted_proxies parameter with your proxy’s IP address. ThinLinc will only accept the X-Forwarded-For header from these trusted sources.

When one or more trusted proxies are configured, the server will scan the X-Forwarded-For header to find the connecting client’s true IP address. The search stops when an untrusted address is found, and this becomes the new client address.

Warning

Do not configure trusted proxies if you are not absolutely sure that all listed proxies can be trusted (i.e., are controlled by you) and are correctly configured. Otherwise, your system may be susceptible to spoofing attacks.