If you're running PostHog behind a proxy, there are a few more things you need to do to make sure PostHog works. You usually need this if running behind a web server like Apache or NGINX, a load balancer (like ELB), or a DDoS protection service (like Cloudflare).
Setup
If PostHog is running behind a proxy, you need to do the following:
- Set the IS_BEHIND_PROXYenvironment variable toTrue. This will make sure the client's IP address is properly calculated, and SSL is properly handled (e.g. for OAuth requests).
- Set your trusted proxies configuration.
- Depending on your setup, you might also need to set the ALLOWED_HOSTSenvironment variable. If you don't allow all hosts (i.e. you are allowlisting specific hosts), you will need to set the address(es) of your proxy here.
Trusted proxies
Trusted proxies are used to determine which proxies to consider as valid from the X-Forwarded-For HTTP header included in all requests to determine the end user's real IP address. Specifically allowlisting your proxy server's address prevents spoofing of the end user's IP address while ensuring your service works as expected. There are two ways of setting up trusted proxies.
- Recommended. Set a list of trusted IP addresses for your proxies via the TRUSTED_PROXIESenvironment variable (comma-separated list of IP addresses).
- Trust all proxies by setting TRUST_ALL_PROXIESenvironment variable toTrue(not recommended unless you have a strong reason for which allowlisting specific addresses wouldn't work for you).
Common issues
- Some users have reported getting infinite redirects when running behind a proxy. Make sure the X-Forwarded-Protoheader is set tohttpsif you have HTTPS enabled. Alternatively, you can set theDISABLE_SECURE_SSL_REDIRECTvariable to make PostHog run using HTTP.- If you use a load balancer, it is recommended to terminate the SSL connection at the load balancer (remember to set DISABLE_SECURE_SSL_REDIRECTtoTrue) and connect via HTTP to your PostHog container (make sure your container is behind a firewall or VPC to prevent unauthorized connections), you would then enforce SSL/TLS connections at the load balancer level.
 
- If you use a load balancer, it is recommended to terminate the SSL connection at the load balancer (remember to set 
- If you have IP blocks that are not working and you're running behind a proxy, your instance may be misconfigured, preventing PostHog from determining the connecting IP address.
Public endpoints
If you're setting up a proxy to protect your PostHog instance and prevent access only through an authorized connection, you should consider there are some endpoints that must always be publicly accessible in order for event ingestion, session recording and feature flags to work properly. These endpoints are listed below.
| Path | Description | 
|---|---|
| /batch | Endpoint for ingesting/capturing events. | 
| /decide | Endpoint that enables autocapture, session recording, feature flags & compression on events. | 
| /capture | Endpoint for ingesting/capturing events. | 
| /e | Endpoint for ingesting/capturing events. | 
| /engage | Endpoint for ingesting/capturing events. | 
| /s | Endpoint for capturing session recordings. | 
| /static/array.js | Frontend javascript code that loads posthog-js. | 
| /static/recorder-v2.js | Frontend javascript code that loads recordings v2 in posthog-js. | 
| /static/recorder.js | Frontend javascript code that loads recordings in posthog-js. | 
| /static/surveys.js | Frontend javascript code that loads surveys in posthog-js. | 
| /track | Endpoint for ingesting/capturing events. | 
NGINX config (Recommended)
You need to make sure your proxy server is sending X-Forwarded-For headers. For NGINX, that config should look something like this:
Apache2 config
You need the proxy proxy_http and proxy_html modules enabled.
To do this, run sudo a2enmod proxy proxy_http proxy_html.
Make sure SSL is enabled, and include the X-Forwarded-Proto header so that PostHog knows it.