I need to declare differenttrusted_proxies ip blocks (one IPv4, one IPv6) per server bloc, while Caddy is acting as reverse proxy. So, this works as expected on my Caddyfile:
So far so good. But, @francislavoie told me recently on Github that this option (declaring trusted_proxies on reverse_proxy bloc) will become obsolete or even removed in next Caddy versions. Problem is that, declaring it globally in server {}, will declare every IP as trusted by any server bloc, and this is definetly something I want to avoid.
You could do it via a custom IPRangeSource plugin, because the GetIPRanges function takes a request, so you can set up rules to return different IP ranges based on the request in your plugin. The static IP source module that’s built-in always just returns the same IP ranges for every request.
I have a cluster of Caddy servers (8 servers) serving requests for many websites (+500), each one proxied to, at least, 2 physical servers with their own IP addresses.
The current implementation serves this purpose perfectly because we can set which trusted_proxies serve each website on the reverse_proxy configuration.
The problem with having it in reverse_proxy is that it limits what you can do with it. Having it done earlier at the start of the request (i.e. via servers config) allows populating access logs with client_ip and making the client_ip matcher work, using the parsed IP from headers.
I suggest you implement a module to do what you need if you need per-host IP ranges.
I see, but as i’m also using proxy_protocol, doesn’t it fix that behaviour? Also, is the removal of trusted_proxies support on reverse_proxy ETA for v3?