When Ory Kratos is deployed behind a reverse proxy (such as Nginx), the real client IP address is typically forwarded using the X-Real-IP or X-Forwarded-For HTTP headers. In the provided knowledge sources, the Nginx configuration examples for production deployment of Ory Kratos show that these headers are set when proxying requests to Kratos:

nginx proxy_set_header        Host            $host; proxy_set_header        X-Real-IP       $remote_addr; proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

This ensures that Ory Kratos receives the original client IP address in the X-Real-IP and X-Forwarded-For headers. However, the knowledge sources do not explicitly state how Ory Kratos processes or uses these headers internally to determine the real client IP address. They only show that the headers are forwarded by the reverse proxy configuration, which is a standard practice for making the real IP available to backend services like Kratos. If you need Kratos to act on the real client IP (for example, for logging or security decisions), ensure your reverse proxy is configured as shown above. For more advanced IP-based logic (such as in Ory Oathkeeper), you can configure it to respect the X-Forwarded-For header using the respect_forwarded_for_header option, but this is not documented for Kratos itself in the provided sources. In summary: - Set X-Real-IP and X-Forwarded-For in your reverse proxy configuration. - Kratos will receive these headers, but the documentation does not specify further processing or configuration options for real IP extraction within Kratos itself. [Install and configure Nginx (Kratos)](https://www.ory.sh/docs/kratos/guides/deploy-kratos-example#install-and-configure-nginx)