Caddy & Docker reverse proxy - Apps can't see the Client IP

1. The problem I’m having:

  • I installed Caddy and Authentik via Docker
  • Caddy and Authentik are connected via docker network
  • Caddy has IP, Authentik has IP

In the Authentik App Log-File (e.g. changing something in the Admin Panel), the displayed client IP is
But it should be the IP of my computer

With NGINX, the same installation is working via adding:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

3. Caddy version:


4. How I installed and ran Caddy:

Docker Container

d. My complete Caddy config: {
 reverse_proxy {
### Things I tried but didn't work
# trusted_proxies private_ranges
# header_up X-Real-IP {remote_host}
# header_up X-Forwarded-For {remote_host}
 tls /etc/letsencrypt/live/ /etc/letsencrypt/live/

Caddy already passes the X-Forwarded-For value by default.
The issue is likely that Authentik needs to be configured to trust caddy as a proxy.

This has some documentation about using caddy with authentik.

The Documentation is about the Forward Proxy. This part is working!

Just the Client IPs are not getting displayed.
That’s bad, as you can not do any Client-rules, e.g. not 2FA Auth in your home network.

But I also tested it with NGINX again, and it’s not working anymore (in the last Installation it worked for me, here I had Authentik 10.2022 running)

I’m not aware of any trusted proxies you could define inside Authentik.

It looks lik I have the same problem. I read everywhere that caddy is already forwarding the client IP by default, then what am I doing wrong?

I too tried header_up X-Real-IP {remote_host} and similar. What is the right configuration and/or where do I find the client IP on the backend server?

I’ve got Caddy in docker, the latest version. It is reverse proxying to a virtual machine that runs apache, wordpress and fail2ban. In what log or file could I see the original IP being forwarded? Because all I see is the IP of the reverse_proxy itself. Which is not very useful when configuring fail2ban.

You will probably have to read the Authentik docs. All I know is that caddy passes the proper headers.

Have you disabled userland-proxy?


  "userland-proxy": false

I’m not using Authentik. I’m running Wordpress +LAMP behind Caddy. Sorry for asking the obvious stupid question, but how can Apache’s access.log have the IP-address of reverse proxy, but not the IP of the client, when it is supposed to get the client IP forwarded? Where would I see that client IP then?

Disabling userland-proxy did not make a difference.

See Configuration | authentik, I think you need to add Caddy’s IP address to AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS so that it trusts X-Forwarded-* headers coming from Caddy.

Thanks! And my bigger mistake was accidentally not using a private IP range anymore with 172.52.xx.xx, for my defined docker network, so the predefined rules of Authentik didn’t work.

This is exactly what I like about caddy. It does everything that other servers do, by default. I have caddy serving as a reverse proxy for live streaming audio and video, with no extra config. It just works. Keep it up @matt and @francislavoie


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.