Caddy & Docker reverse proxy - Apps can't see the Client IP

Sebastian1 · October 18, 2023, 10:31am

1. The problem I’m having:

I installed Caddy and Authentik via Docker
Caddy and Authentik are connected via docker network 172.52.0.0/24
Caddy has IP 172.52.0.100, Authentik has IP 172.52.0.10

In the Authentik App Log-File (e.g. changing something in the Admin Panel), the displayed client IP is 172.52.0.100
But it should be the IP of my computer 192.168.0.20.

With NGINX, the same installation is working via adding:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

3. Caddy version:

v2.7.5

4. How I installed and ran Caddy:

Docker Container

d. My complete Caddy config:

https://sso.home.net {
 reverse_proxy http://172.52.0.10:9000 {
### Things I tried but didn't work
# trusted_proxies private_ranges
# header_up X-Real-IP {remote_host}
# header_up X-Forwarded-For {remote_host}
}
 tls /etc/letsencrypt/live/sso.home.net/fullchain.pem /etc/letsencrypt/live/sso.home.net/privkey.pem
}

victor · October 18, 2023, 1:26pm

Caddy already passes the X-Forwarded-For value by default.
The issue is likely that Authentik needs to be configured to trust caddy as a proxy.

This has some documentation about using caddy with authentik.

Sebastian1 · October 18, 2023, 4:12pm

The Documentation is about the Forward Proxy. This part is working!

Just the Client IPs are not getting displayed.
That’s bad, as you can not do any Client-rules, e.g. not 2FA Auth in your home network.

But I also tested it with NGINX again, and it’s not working anymore (in the last Installation it worked for me, here I had Authentik 10.2022 running)

I’m not aware of any trusted proxies you could define inside Authentik.

whatsnext · October 18, 2023, 4:29pm

It looks lik I have the same problem. I read everywhere that caddy is already forwarding the client IP by default, then what am I doing wrong?

I too tried header_up X-Real-IP {remote_host} and similar. What is the right configuration and/or where do I find the client IP on the backend server?

I’ve got Caddy in docker, the latest version. It is reverse proxying to a virtual machine that runs apache, wordpress and fail2ban. In what log or file could I see the original IP being forwarded? Because all I see is the IP of the reverse_proxy itself. Which is not very useful when configuring fail2ban.

victor · October 18, 2023, 4:47pm

You will probably have to read the Authentik docs. All I know is that caddy passes the proper headers.

Sebastian1 · October 18, 2023, 4:52pm

Have you disabled userland-proxy?

/etc/docker/daemon.json

{
  "userland-proxy": false
}

whatsnext · October 18, 2023, 6:00pm

I’m not using Authentik. I’m running Wordpress +LAMP behind Caddy. Sorry for asking the obvious stupid question, but how can Apache’s access.log have the IP-address of reverse proxy, but not the IP of the client, when it is supposed to get the client IP forwarded? Where would I see that client IP then?

Disabling userland-proxy did not make a difference.

francislavoie · October 18, 2023, 8:21pm

See Configuration | authentik, I think you need to add Caddy’s IP address to AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS so that it trusts X-Forwarded-* headers coming from Caddy.

Sebastian1 · October 18, 2023, 9:54pm

Thanks! And my bigger mistake was accidentally not using a private IP range anymore with 172.52.xx.xx, for my defined docker network, so the predefined rules of Authentik didn’t work.

victor · October 19, 2023, 12:07am

This is exactly what I like about caddy. It does everything that other servers do, by default. I have caddy serving as a reverse proxy for live streaming audio and video, with no extra config. It just works. Keep it up @matt and @francislavoie

system · November 18, 2023, 12:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.