Get visitors IP instead of load balancer

Help
1

1. The problem I’m having:

I am getting the private IP address of my load balancer instead of the users actual IP.

2. Error messages and/or full log output:

N/A

3. Caddy version:

2.8.4

4. How I installed and ran Caddy:

I use Caddy within Docker.

a. System environment:

Ubuntu 24.05, Docker

d. My complete Caddy config:

{
	log {
		output file /var/log/caddy/access.log {
			roll_keep_for 90d
		}
		format console {
			time_format wall
		}
	}

	servers :443 {
		listener_wrappers {
			http_redirect
			tls
		}
	}

	servers {
		max_header_size 4kb

		timeouts {
			read_body 10s
			read_header 10s
			write 10s
			idle 1m
		}
}

http://localhost {
	respond /health "Caddy is up and healthy!" 200
}

{$APP_URL} {
	encode gzip

	reverse_proxy php:8080 {
		# Health check
		health_uri /up
		health_interval 10s
		health_timeout 5s
	}
}

5. Links to relevant resources:

2

You should configure the PROXY protocol on your load-balancer or ensure it sets X-Forwarded-For and configure the load-balancer’s IP address as trusted_proxy.

3

I’ve enabled Proxy Protocal on the load balancer and added trusted_proxies 10.0.0.0/16 to the servers secton in my Caddyfile but when I visit the site I get Secure Connection Failed

Is this incorrect?

4

It’s an or, not an and. If you configured the proxy protocol, tell Caddy it must check for it.

5

I did try using proxy_protocol earlier and then enabling Proxy Protocal on the LB but that doesn’t work either. I get the same " Secure Connection Failed" error when visiting the site. Same issue when I disabled Proxy Protocal on the LB.

I’ve also tried the trusted_proxies and get the same error as above.

So to confirm, I need to enable Proxy Protocal on the LB and add proxy_protocol or am I misunderstanding?

{"level":"debug","ts":1739815060.8913403,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.0.0.2:26940: tls: first record does not look like a TLS handshake"}

6

Sorted

7

Please post your solution