You know, that’s actually a good idea now that you mention it… I don’t know many use cases where external front-facing proxies vary per-site. I suspect most users would want the option of specifying the list just once.
We generally try to avoid making exceptions like this in general (i.e. snippets are the correct way to reuse config, or have config apply to multiple sites), but this seems like a reasonable exception, maybe?
The handle aren’t necessary in this situation, but they make the config more flexible to future changes, such as if you wanted to use respond or file_server according to certain matchers, because otherwise you’d have to contend with directive ordering to make sure it works right.
No, that wouldn’t be safe.
At a glance it sounds like it should be, but there are situations where it’s risky. So it’s best to default to trusting nothing, and letting the user opt-in, should they understand the implications.
For example, if you’re running in Docker and don’t have a downstream proxy in front of it, Docker may be running with a userland proxy (TCP layer) which makes the RemoteAddr that Caddy sees actually be a private IP for all requests. In that situation, there’s nothing that can reasonably be trusted, because the userland proxy is lossy (rewrites/hides/loses the original client IP on the TCP connection). Obviously your application would get garbage IPs in that situation (172.x.x.x range probably) but that’s still better than allowing any client to spoof X-Forwarded-For.