Reverse Proxy Servers and Vercel

We do not recommend placing a reverse proxy server in front of your Vercel project as it affects the Vercel's firewall in the following ways:

  • Vercel's Edge Network loses visibility into the traffic, which reduces the effectiveness of the firewall in identifying suspicious activity.
  • Real end-user IP addresses cannot be accurately identified.
  • If the reverse proxy undergoes a malicious attack, this traffic can be forwarded to the Vercel project and cause usage spikes.
  • If the reverse proxy is compromised, Vercel's firewall cannot automatically purge the cache.

However, you may still need to use a reverse proxy server. For example, your organization has legacy web applications protected by a reverse proxy and mandates that your Vercel project also uses this reverse proxy.

In such a case, you want to ensure that Vercel's platform-wide firewall does not block this proxy server due to the reasons mentioned above.

  • TLS setup: Disable HTTP→HTTPS redirection for http://<DOMAIN>/.well-known/acme-challenge/* on port 80
  • Cache control: Never cache https://<DOMAIN>/.well-known/vercel/* paths
  • Plan eligibility:
    • Hobby/Pro: Verified Proxy Lite only
    • Enterprise: Lite + Advanced (self-hosted/geolocation preservation)

Verified Proxy is automatically enabled for the providers listed below on all plans. Any other provider or a self-hosted proxy (for example, Nginx, HAProxy, etc) requires a manual onboarding process (Enterprise only).

ProviderRequired HeaderConfiguration
FastlyFastly-Client-IPA built-in header. No additional configuration required.
Google Cloud Load BalancingX-GCP-Connecting-IPAdd a custom header: X-GCP-Connecting-IP: {client_ip_address} using their built-in variables.
CloudflareCF-Connecting-IPA built-in header. No additional configuration required.
AWS CloudFrontCloudFront-Viewer-AddressEnable the header via the Origin Request Policy.
Imperva CDN (Cloud WAF)Incap-Client-IPA built-in header. No additional configuration required.
AkamaiTrue-Client-IPEnable the header via the property manager. Clients may be able to spoof the header; work with Akamai to harden the configuration. You must also enable the Origin IP ACL feature.
Azure Front DoorX-Azure-ClientIPA built-in header. No additional configuration required.
F5X-F5-True-Client-IPAdd a custom header: X-F5-True-Client-IP: {client_ip_address}

Verified Proxy Advanced is available on Enterprise plans

Ensure that the following requirements are met if you are running self-hosted reverse proxies:

  • Your proxy must have static egress IP addresses assigned. We cannot support dynamic IP addresses.
  • Your proxy must send a custom request header that carries the real client IP (e.g. x-${team-slug}-connecting-ip).
  • Your proxy must enable SNI (Server Name Indication) on outbound TLS connections.
  • Use consistent and predictable Vercel project domains for onboarding. For example, use *.vercel.example.com and ensure your Proxy always sends traffic to those specific hostnames.

For detailed setup instructions, please contact your Customer Success Manager or Account Executive.

Last updated on July 9, 2025