Header manipulation

Hi, guys.
I have been reading the documentation of Caddy v2 and I have not found anything truly helpful about manipulating headers in reverse_proxy directive, besides this:

  • header_up Sets, adds, removes, or performs a replacement in a request header going upstream to the backend.
  • header_down Sets, adds, removes, or performs a replacement in a response header coming downstream from the backend.

Is there any documentation about this? I need to learn more about this subject to solve a problem I’m having with the reverse_proxy directive in Caddy v2.

The documentation for reverse_proxy is here: reverse_proxy (Caddyfile directive) — Caddy Documentation

The syntax given for those two, as of writing this post, is as follows:

    # header manipulation
    header_up   [+|-]<field> [<value|regexp> [<replacement>]]
    header_down [+|-]<field> [<value|regexp> [<replacement>]]

The only thing I think is not explained here is the [+|-] syntax. + before a header (e.g. +Server) tells Caddy to add it as a new header rather than setting an existing instance of the header (this can result in two Server headers being sent). - before a header instructs Caddy to strip the header entirely (and renders the [<value|regexp> [<replacement>]] fields fairly redundant, I believe).

1 Like

This is correct. :slight_smile:

Should probably add a note about the +/- in the new docs.

1 Like

I’m probably looking in the wrong place how to solve my problem.
Basically: Caddy → Varnish → Node.js application
In varnish default.vcl there is an acl that does not work, because to varnish all hosts have the ip That’s why I was asking you guys for documentation about header_up and header_down; I thought the issue may be related to headers. I don’t know if the issue is related to varnish.

This is my Caddyfile:

mydomain.tech www.mydomain.tech {
reverse_proxy {
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-For {remote}
header_up X-Real-IP {remote}

Ah, so this is an XY problem. I would just ask what your X question is, rather than your Y question, and we’ll help you out. :stuck_out_tongue:

Oh, sorry – did you mean that this is the actual (X) problem?

By default, Caddy 2 sends all (non-hop-by-hop) incoming headers to the upstream as they are. But it depends, where is Varnish getting the IP “” from?

Even though the request comes from the internet, Varnish sees it as

Yes, I get that, but where is it getting that number? What does “sees it as” really mean? Is it looking at a connection’s remote address? or a Host header? or another header? Is it getting that from some configuration? I don’t know how Varnish works, so we’ll need more details. You might consider asking on the Varnish forums if you need help finding out.

You need to tell Varnish to use X-Forwarded-For to determine its client IP addresses instead of the remote IP. That header is the standard for proxies communicating the origin IP of the client.

Not sure how to do this in VCL, sorry.

It’s not possible, realistically, to spoof the actual remote IP address. Doing so would involve having return traffic go directly to the spoofed IP address, for one problem.

1 Like

Luckily, it seems like @Whitestrake has some experience with Varnish :sweat_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.