Showing the visitor's IP
A page can show a visitor their own IP address. Two things make this work:
[% client_ip %]-
a Template Toolkit variable holding the visitor's IP. It is the first hop of the
X-Forwarded-Forheader (the real client when the site is behind a reverse proxy) if present, otherwise the direct connection addressREMOTE_ADDR. nocache: true-
the IP is different for every visitor, so the page must render fresh each time.
nocache: truein the front matter renders on every request and never caches, so each visitor sees their own IP (a cached page would show whoever loaded it first).
Simplest: show it directly
A whole page that renders the IP live:
---
title: Your IP
nocache: true
---
Your IP address is **[% client_ip %]**.
Keep a page cached, fetch the IP with JavaScript
To show the IP on a page you want to keep cached (fast), put the IP behind a small
live endpoint and fetch it client-side. The endpoint is a nocache API page that
returns JSON; the display page stays cacheable and only the IP is fetched live.
The endpoint - save as whatismyip.md (served at /whatismyip):
---
api: true
nocache: true
content_type: application/json
---
{"ip": "[% client_ip %]"}
The display page (or any theme/layout) fetches and renders it:
<p>Your IP address is <span id="your-ip">…</span>.</p>
Behind a reverse proxy
client_ip prefers X-Forwarded-For so a proxied site reports the real visitor,
not the proxy. That header is only trustworthy if your edge (Apache / nginx) sets
it from the real connection and strips any client-supplied copy - the same
requirement as the X-Remote-* trust headers. If the site is served directly (no
proxy), client_ip is the connection address and needs no configuration. The value
is sanitised to IP characters before rendering, so a spoofed header cannot inject
markup into the page.