Ok latest announcement added some info about it being deprecated now, but I’m still on lost ground, no clear instructions for me how it should be added. I failed for hours and lost track, tried all various ways, but never managed to set it up proper.
Here’s an example for caddyfile, could you help sort it out?
You literally just replace remote_ip forwarded with client_ip. And make sure you have trusted_proxies configured in your global options. That’s it. See Global options (Caddyfile) — Caddy Documentation
I tried adding it under various handles, and on top of all configs, and in beginning of each domainexample
trusted_proxies cloudflare
Getting errors right and left.
Case1
caddy run
Error: adapting config using caddyfile: parsing caddyfile tokens for 'servers': Caddyfile:3 - Error during parsing: getting module named 'http.ip_sources.cloudflare': module not registered: http.ip_sources.cloudflare
Case2 Error: adapting config using caddyfile: Caddyfile:34: unrecognized directive: trusted_proxies
Case3
←[34mINFO←[0m using adjacent Caddyfile
Error: adapting config using caddyfile: parsing caddyfile tokens for 'handle': getting matcher module 'trusted_proxies': module not registered: http.matchers.trusted_proxies
Then I tested without adding the trusted_proxies cloudflare , but with only changing all cases of remote_ip forwarded to clientip caddy started up, but I was no longer allowed to access from inside my own without giving username password…
If you want to use the cloudflare IP source module, you need to build Caddy with that plugin added. It doesn’t ship with the standard distribution of Caddy.
It’s a separate plugin from the DNS one, even though they are both named cloudflare in your config. They’re different modules used in different places of the config.
Yes, if you want to use trusted_proxies cloudflare you need that module. If you use trusted_proxies static <cidrs...> then you don’t need any additional modules.
Because there needs to be a mechanism that verifies that the request actually came from a trusted proxy, otherwise the X-Forwarded-For header could be spoofed by the original client to bypass your matchers.
That’s why remote_ip forwarded is deprecated, there was no mechanism for preventing spoofing, therefore anyone could just craft an HTTP request with their own X-Forwarded-For value which would pass your remote_ip forwarded matcher.
The new client_ip matcher does not have this problem because it specifically relies on trusted_proxies. If the request is trusted, it’ll use the IP parsed from headers, otherwise it will use the remote address (i.e. the IP address attached to the TCP packets).
Since you’re using Cloudflare, you should also set client_ip_headers CF-Connecting-IP (just below trusted_proxies in global options) because Cloudflare doesn’t prevent X-Forwarded-For spoofing. Only their CF-Connecting-IP is safe from spoofing.
trusted_proxies private_ranges and_my_wan_ip_here ← is this correct? for having both the private_ranges where caddy and my wan_ip is ran from being allowed to run internally and bypass.
So it would look like this
trusted_proxies private_ranges wan_ip_x.x.x.x
I then replaced all places found remote_ip forwarded with client_ip
When I try to enter from my home location it still ask for username and password ?
So I was wondering if the other places where I still use remote_ip but without forwarded attached to it should also be changed to client_ip ?
No, you need to use the trusted_proxiesglobal option.
The client_ip matcher doesn’t know about your proxy handler and its config. You need to configure trusted_proxies in global options for it to affect the automatic client IP parsing behaviour.
I wrote about this above already, and linked to the documentation.
Ok yes my bad, I was reading various different docs and got it all mixed up.
Now I have done that and added it to the top + i renamed all remote_ip forwarded to client_ip and the rest of fields I could find with just remote_ip leftovers also where renamed to client_ip
It seems to be running but my access without entering credentials on the lan is still not working, where if I simply revert the rename of forwarded change it works.
I then replaced trusted_proxies static private_ranges my_wan_ip with trusted_proxies cloudflare to the servers, after compiling new version with GitHub - WeidiDeng/caddy-cloudflare-ip included
{
servers {
trusted_proxies cloudflare
}
}
I can now succesfull connect from via lan without authentication.
But I’m not sure if this is the correct way(in my head when I think of adding cloudflare as trusted_proxies I think of it as all clients connected through cloudflare now, does not have to enter any authentication details?, and how if I want to add private_range and my wan_ip into the trusted_proxies at the same time as cloudflare is included into it, how would that look like?
trusted_proxies configures which proxies are trusted to have correctly handled X-Forwarded-For (or whatever header you configure with client_ip_headers) such that those headers are trusted sources of the real client IP. You’re not trusting your actual client IP, you’re trusting the proxy.
This doesn’t make sense, because your proxy is Cloudflare, not something running locally (i.e. private ranges) and the proxy is not your client.