Declare trusted_proxies per server bloc

I need to declare different trusted_proxies ip blocks (one IPv4, one IPv6) per server bloc, while Caddy is acting as reverse proxy. So, this works as expected on my Caddyfile: {
    reverse_proxy {
        trusted_proxies [ipv4] [ipv6]

So far so good. But, @francislavoie told me recently on Github that this option (declaring trusted_proxies on reverse_proxy bloc) will become obsolete or even removed in next Caddy versions. Problem is that, declaring it globally in server {}, will declare every IP as trusted by any server bloc, and this is definetly something I want to avoid.

Any other options here?


Why do you need this, exactly?

You could do it via a custom IPRangeSource plugin, because the GetIPRanges function takes a request, so you can set up rules to return different IP ranges based on the request in your plugin. The static IP source module that’s built-in always just returns the same IP ranges for every request.

1 Like

I have a cluster of Caddy servers (8 servers) serving requests for many websites (+500), each one proxied to, at least, 2 physical servers with their own IP addresses.

The current implementation serves this purpose perfectly because we can set which trusted_proxies serve each website on the reverse_proxy configuration.

The problem with having it in reverse_proxy is that it limits what you can do with it. Having it done earlier at the start of the request (i.e. via servers config) allows populating access logs with client_ip and making the client_ip matcher work, using the parsed IP from headers.

I suggest you implement a module to do what you need if you need per-host IP ranges.

1 Like

I see, but as i’m also using proxy_protocol, doesn’t it fix that behaviour?
Also, is the removal of trusted_proxies support on reverse_proxy ETA for v3?

No specific plan yet, but in general you should migrate to the global option.

I don’t know in which context you mean that. You haven’t shared your full config, so I don’t know what you mean.

1 Like