When running CakePHP behind a reverse proxy (Docker, nginx, Cloudflare, etc.), using env('REMOTE_ADDR') directly returns the proxy's internal IP instead of the real client IP. The fix involves using ServerRequest::clientIp() with a TrustedProxyMiddleware that reads X-Forwarded-For headers from configured trusted proxy IP ranges. The post walks through creating the middleware, configuring trusted proxy IPs in app config, replacing all direct REMOTE_ADDR usages, handling multi-proxy chains, and verifying the setup. It also covers CLI context limitations where clientIp() is unavailable and the IP must be captured at request time.
Sort: