Caddy proxy_protocol parsing and trusted_proxies syntax question

1. The problem I’m having:

I have a public facing HAProxy and let Caddy terminate tls on the backends. HAproxy forwards the challenge via http to caddy and forwards tcp requests to backend. Everything is working fine so far, except that i only see the HAProxy ip as client IPs in the caddy logs.
So I want to make use of the proxy_protocol (v2) and activated this for my caddy backends in the HAProxy config but i still struggle to get my caddy config right to make use of it.
Can someone help me explain what i do wrong here in my caddy file and give me a proper example so i finally understand my fault?

3. Caddy version:

v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=

4. How I installed and ran Caddy:

added the copr repo and installed Caddy via dnf as described in the docs

a. System environment:

RockyLinux9

d. My complete Caddy config:

service.some.domain {
	log {
		output file /var/log/caddy/service.log {
			roll_size 20mb
			roll_keep 2
			roll_keep_for 6h
		}
		format console
		level error
	}
	reverse_proxy 127.0.0.1:8543 {
		trusted_proxies static 10.11.12.13/32
	}
	encode zstd gzip
}

5. Links to relevant resources:

I dont think i need to define the transport directive since that is happening on my HAProxy if i get this right?

I am not sure how to define/implemnt this then in my config in a correct way…

Also trusted_proxies as defined in my config is not working and i really confused after several tries now.

Thank you in advance for your time and help.
Also thanks for sharing Caddy with the Community!

Okay, i figured out the trusted_proxies bit with prepending it like this to my config…

{
        servers {
                trusted_proxies static 10.11.12.13/32
        }
}

So its a global setting?
Unfortunately i still get the HAProxy IP as client IP. I assume thats because this is a TCP forward and i still need to parse the proxy protocol info that HAProxy sends somehow?
I begin to think that might not be possible without compiling layer4 support into Caddy?
If thats the case i would still be very thankful for an explanation about the other proxy_protocol references in the docs and when to use them.

You have the example right here in one of the links you shared. Just scroll down a little bit, right before the timeouts section starts

Oh my, thank you for putting my nose onto the right letters! I should take a break i think…
So basically i would prepend this to make it work?

{
	servers {
		listener_wrappers {
			proxy_protocol {
				timeout 2s
				allow 10.11.12.13/32
			}
			tls
		}
	}
}

Do i need to explicit define also a deny rule or isn’t that necessary and everything else except will be denied by default if i specify single allow ips?
Also, how would i specify the protocol in use v1/v2 ?

Thank you again so much! I just wasn’t able to see this anymore for hours…

Edit: I just read again and figured my first question is answered with the fallback policy definition.

You don’t.

v1 is human-readable, v2 is binary.

As soon as the receiver sees “PROXY”, it knows it’s v1. Otherwise, if it sees a specific 12-byte sequence, it knows it’s v2.

You can find more details in the proxy protocol specification:

Edit: To clarify though, when you want Caddy to send the PROXY protocol headers, meaning when Caddy is the sender, acting as a proxy, you do specify which PROXY protocol version Caddy should use.

In other words:

• Caddy as a receiver: auto-detects based on the header.
• Caddy as a sender: you configure the version explicitly.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.