1. The problem I’m having:
I have a VPS with IP x.y.z.w
. This VPS has a Wireguard tunnel to my home. The tunnel uses the block 10.1.1.0/24
. I am running two caddy instances, 1 on the VPS and another at my home.
I access a site hosted on Caddy instance on VPS. This instance adds X-Forwarded-For
, X-Real-IP
to requests before forwarding them to the caddy instance hosted at my home.
The instance at home forwards the request to the right service. The instance at home has these values in the global trusted_proxies field.
"trusted_proxies": {
"ranges": [
"10.1.1.0/24",
],
"source": "static"
}
X-Forwarded-For
header is overridden to the internal wireguard IP of VPS. If my understanding is correct, It should be trusting the X-Forwarded-For
header set by the Caddy instance on the VPS and not write over those values ?
2. Error messages and/or full log output:
Logs from the Caddy instance at home showing the Caddy instance on VPS set the headers correctly.
{"level":"info","ts":1735244287.951898,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"10.1.1.3","remote_port":"36812","client_ip":"27.7.96.110","proto":"HTTP/2.0","method":"POST","host":"jellyfin.ishanjain.me","uri":"/Sessions/Playing/Progress","headers":{"User-Agent":["Ktor client"],"Content-Type":["application/json"],"X-Real-Ip":["27.7.96.110"],"Authorization":[],"Accept-Encoding":["gzip"],"Accept-Charset":["UTF-8"],"Accept":["application/json, application/octet-stream;q=0.9, */*;q=0.8"],"Content-Length":["290"],"X-Forwarded-Host":["jellyfin.ishanjain.me"],"X-Forwarded-For":["27.7.96.110"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"jellyfin.ishanjain.me"}},"bytes_read":290,"user_id":"","duration":0.002382812,"size":0,"status":204,"resp_headers":{"X-State":["KA"],"X-City":["Bengaluru"],"X-Country":["IN"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"X-Response-Time-Ms":["1.9906"],"Date":["Thu, 26 Dec 2024 20:18:07 GMT"]}}
The http request as it was received by the service shows both X-Forwarded-For
and X-Real-IP
were set to the Wireguard IP of the VPS.
(Captured using wireshark on the host running the service)
3. Caddy version:
2.7.6
4. How I installed and ran Caddy:
Built using xcaddy
a. System environment:
Hosted on Debian 11 using systemd