Does CaddyServer support PROXY?

I have been setting up CaddyServer to act as an SSL proxy for my Varnish cache servers, and would like to know if CaddyServer can be configured as an invisible proxy. The transparent template for proxy doesn’t seem do it, that just adds some more headers such as XFF.

We have a load-balancing Cisco Ace first in our stack, and that is set up in such a way so that CaddyServer sees the real IP in {remote} and not the Cisco’s IP:

[31/Mar/2017:11:55:15 +0100] ca-proxy01 GET /testing/test.png  304 2ms 0 https -

Where is actually the IP from my (remote) office, and not the load-balancer IP.

When CaddyServer passes the request to the Varnish node, I get what I’d expect from a non-transparent proxy:

-   ReqStart 44808
-   ReqHeader      X-Forwarded-For:
-   ReqHeader      X-Forwarded-Proto: https

Here I can see the client IP as being, which is the CaddyServer IP, and Caddy has populated the XFF header.

Is there any way to make CaddyServer a transparent proxy?

What do you want Varnish to receive? A HTTP request that looks like it came directly from the client?
You can manipulate upstream and downstream headers, see:

I’m not sure on the exact terminology, but an example is the traffic the CaddyServer is getting from my Cisco Ace. Caddy just sees the client IP as being the “real” remote client IP, not the one from the actual next-upstream client, which is the internal Cisco server. I don’t know how it does this.
If I point my Cisco to my varnish servers, they also just see the “client ip” as being the actual remote client IP, as if the proxy wasn’t there. I can still see the headers it adds, like X-Forwarded-For and X-Forwarded-Proto, but to all intents and purposes, it thinks this is a direct connection from the client.

One possibility, because I know Varnish supports it, is the PROXY protocol, which seems to be something haproxy came up Proxy Protocol - HAProxy Technologies

The main advantage is that I don’t have to fill all my code with checks of the XFF header and the client IP, I can just assume the client IP is real.

PROXY protocol support is coming soon, see

A plugin will provide this functionality.

Great, thanks. That makes me feel better about temporarily hacking in a bunch of “if upstream is Caddy then _dosomething_ else _dosomethingelse_” in my Varnish code.

Internal testing of the new CaddyServer and the major upgrade of Varnish will hopefully take long enough that this will come out before go-live, and I can put it in :slight_smile:


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.