Proxy based authentication advanced configuration
Originating IP addresses
Some features of Search Guard operate on the IP address of the client: This includes
sg_authc.yml, or the IP-based role assignment in
When operating Search Guard behind a proxy, however, it is always the IP address of the proxy which creates the connections to Search Guard. To be able to
use the actual originating client IP anyway, Search Guard uses the
X-Forwarded-For HTTP header to determine the originating client IP whenever a trusted proxy is configured.
Search Guard checks the IP addresses listed in the
X-Forwarded-For HTTP header from right to the left; the first IP address which does not match the
network.trusted_proxies CIDR pattern, will be considered the actual originating IP address.
Note: This IP address will be then used by the
skip.ips. If you want to check the IP address of the direct connection, you can use
If your proxy uses a different name of the
X-Forward-For header, you can configure that name in
sg_authc.yml with the option