Shopify App Proxy Returning Incorrect IP Address in x-forwarded-for Header

Technical Q&A

Topic summary

Main issue: x-forwarded-for now returns a Shopify/AWS eu-central-1 IP instead of the shopper’s actual IP, breaking affiliate tracking that depends on accurate client IPs.

Setup: Customer → Shopify app (Vercel) → Shopify App Proxy → own server; the server reads x-forwarded-for for the client IP per Shopify docs.

Expected vs Actual:

  • Expected: x-forwarded-for contains the original customer IP (the person browsing the store).
  • Actual: x-forwarded-for contains what appears to be an internal Shopify infrastructure IP tracing to AWS eu-central-1.

Timeline: Behavior change started about a month ago.

Key terms:

  • x-forwarded-for (XFF): HTTP header used to convey the original client IP when requests pass through proxies.
  • Shopify App Proxy: mechanism that forwards storefront requests to an external app endpoint.

Open questions: Is this a misconfiguration or a known Shopify issue? Any guidance appreciated.

Status: No resolution or action items yet; discussion remains open with unanswered questions. No code snippets or attachments central to understanding (a documentation link is referenced).

Summarized with AI on November 25. AI used: gpt-5.
1

Hello,

I’ve developed a Shopify app for my clients that relies on accurate IP addresses for affiliate tracking functionality. According to the Shopify documentation, I should be able to rely on the x-forwarded-for header to get the customer’s IP address.

My Setup:

  • Customer browsing store → Shopify App (hosted on Vercel) → Shopify App Proxy → My server

  • My server reads the x-forwarded-for header to identify the customer’s IP

The Problem: Starting about a month ago, the IP address I’m receiving from the x-forwarded-for header is no longer the customer’s actual IP. Instead, I’m getting an IP address that traces back to an AWS eu-central-1 server, which appears to be a Shopify infrastructure server.

Expected Behavior: The x-forwarded-for header should contain the original customer’s IP address (the person browsing the store).

Actual Behavior: The header contains what appears to be an internal Shopify server IP address instead.

Questions:

  1. Am I doing something wrong? My setup is fairly simple
  2. Is this a known issue, or an issue just to me

Any guidance would be greatly appreciated! Thanks in advance!