Help with Caddy forwarding real ip

1. Caddy version (caddy version):

Caddy v2.4.3

2. How I run Caddy:

  1. Running Caddy on TrueNAS inside a jail as a reverse proxy. Its my front server
    2)Running Caddy as a webserver for Nextcloud

a. System environment:

TrueNAS Core 12.2
FreeBSD 12.2

b. Command:

service caddy start

c. Service/unit/compose file:

xcaddy build

d. My complete Caddyfile or JSON config:

Front Caddy As Reverse Proxy: {
tls {
dns cloudflare redactedtoked

    encode gzip

    reverse_proxy {
    header_up X-Forwarded-Host {host}

Caddy as webserver for Nextcloud, {
root * /usr/local/www/nextcloud
log {
output file /var/log/caddy.log
format single_field common_log

    php_fastcgi {
            env front_controller_active true

    # client support (e.g. os x calendar / contacts)
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    redir /.well-known/webfinger /index.php/.well-known/webfinger 301
    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

    # .htaccess / data / config / ... shouldn't be accessible from outside
    @forbidden {
            path /.htaccess
            path /data/*
            path /config/*
            path /db_structure
            path /.xml
            path /README
            path /3rdparty/*
            path /lib/*
            path /templates/*
            path /occ
            path /console.php

    respond @forbidden 404


3. The problem I’m having:

Caddy as my webserver always sees IP from caddy reverse proxy instead of the real remote ip. This is a issue as I want to setup fail2ban. How do I get caddy to send the real ip, from my understanding I do not need to use http x forward as caddy automatically does that. I have tried with
header_up Host {}
header_up X-Real-IP {http.request.remote}
header_up X-Forwarded-For {http.request.remote}
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.scheme}
and the same thing.

4. Error messages and/or full log output: is my Caddy reverse proxy

Caddy Nextcloud webserver log: - - [06/Jul/2021:11:41:32 -0400] “GET /apps/logreader/poll?lastReqId=VhBA3M5Xng7xnkur5Lqg HTTP/1.1” 200 484 - - [06/Jul/2021:11:41:32 -0400] “GET /apps/logreader/poll?lastReqId=02eLf3Ksem3BHUf2wen3 HTTP/1.1” 200 482 - - [06/Jul/2021:11:41:33 -0400] “GET /apps/logreader/poll?lastReqId=WSMq6CRWbvUYodqxH77c HTTP/1.1” 200 482 - - [06/Jul/2021:11:41:33 -0400] “GET /apps/logreader/poll?lastReqId=e3Y1UUmScIN0IsHblak0 HTTP/1.1” 200 483

Thank You!

Please use three backticks ``` on their own lines, before and after your configs and logs to use code formatting. It’s difficult to read your post because of the messy formatting.

Do not use these lines. Caddy automatically sets the appropriate headers.

You’ll need to use the realip plugin, which replaces the RemoteAddr field in the request as early as possible with the value from the X-Forwarded-For header.

Thanks, Ill format it better next time.
I assume I use the plugin on the front caddy server (the reverse proxy).
I already built caddy with the cloudflare plugin using the command

xcaddy build --output /usr/local/bin/caddy --with

How do I add this plugin or build caddy with both plugins. I found this documentation but I don’t really follow, could you please help me add this plugin to my caddy.

No, on the backend, actually. If your backend is the one logging, then it’s the one that needs it.

Just add another --with for the additional plugin.

Thank You !!!
It works as expected now.

1 Like

Spoke too soon, unfortunately this plugin causes some headache with nextcloud atleast. Nextcloud thinks its being accessed through http with this plugin enabled causing login to stop working. Removing the realip block from caddyfile fixes the issue. That’s an issue with the plugin and not caddy itself so I guess you can still consider this issue closed.

This topic was automatically closed after 30 days. New replies are no longer allowed.