1. The problem I’m having:
The service behind caddy reverse proxy can NOT obtain true IP.
e.g.
- I have a server (IP 192.168.50.32), which is deploied the docker.
- The docker has two network mode: host and bridge(IP CIDR 172.17.0.0/20, Gateway 172.17.0.1)
- A Caddy docker is run using bridge (IP 172.17.0.5), which be set as a reverse proxy, 192.168.50.32:58443–>172.17.0.5:443
- A DDNS-GO docker is run using host, 192.168.50.32:9876
- A local network machine as terminal (IP 192.168.50.151)
- I expect machine access DDNS-GO via caddy, and DDNS-GO will obtain remote IP is 192.168.50.151, but now that is docker gateway IP 172.17.0.1
2. Error messages and/or full log output:
when I access ddns-go:
% curl -4vL https://app-ddnsgo.direct.do.main:58443/
* Trying 192.168.50.32:58443...
* Connected to app-ddnsgo.direct.do.main (192.168.50.32) port 58443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.direct.do.main
* start date: Jan 13 00:00:00 2024 GMT
* expire date: Apr 12 23:59:59 2024 GMT
* subjectAltName: host "app-ddnsgo.direct.do.main" matched cert''s "*.direct.noipto.host"
* issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9e2400b600)
> GET / HTTP/2
> Host: app-ddnsgo.direct.do.main:58443
> user-agent: curl/7.80.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 403
< alt-svc: h3=":443"; ma=2592000
< date: Mon, 15 Jan 2024 19:29:50 GMT
< server: Caddy
< content-length: 0
<
* Connection #0 to host app-ddnsgo.direct.do.main left intact
This is caddy access log:
{
"level": "error",
"ts": 1705346990.384408,
"logger": "http.log.access.log0",
"msg": "handled request",
"request": {
"remote_ip": "172.17.0.1",
"remote_port": "36576",
"client_ip": "172.17.0.1",
"proto": "HTTP/2.0",
"method": "GET",
"host": "app-ddnsgo.direct.do.main:58443",
"uri": "/",
"headers": {
"User-Agent": [
"curl/7.80.0"
],
"Accept": [
"*/*"
]
},
"tls": {
"resumed": false,
"version": 772,
"cipher_suite": 4865,
"proto": "h2",
"server_name": "app-ddnsgo.direct.do.main"
}
},
"bytes_read": 0,
"user_id": "",
"duration": 0.00053049,
"size": 0,
"status": 403,
"resp_headers": {
"Server": [
"Caddy"
],
"Alt-Svc": [
"h3=\":443\"; ma=2592000"
],
"Date": [
"Mon, 15 Jan 2024 19:29:50 GMT"
],
"Content-Length": [
"0"
]
}
}
This is ddns-go access log
2024/01/16 03:29:50 "Remote: 172.17.0.5:49442 ,Real-IP: 172.17.0.1:36576 ,Forwarded-For: 172.17.0.1:36576" prohibit acess from WAN
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
a. System environment:
docker compose
b. Command:
caddy run --config /etc/caddy/Caddyfile
c. Service/unit/compose file:
services:
caddy:
container_name: Caddy
image: caddy:latest
restart: always
network_mode: bridge
ports:
- "58443:443"
- "58443:443/udp"
volumes:
- /etc/localtime:/etc/localtime
- ./caddy/data:/data
- ./caddy/config:/config
- ./caddy/Caddyfile:/etc/caddy/Caddyfile
d. My complete Caddy config:
*.direct.do.main {
@app-ddnsgo {
host app-ddnsgo.direct.do.main
}
reverse_proxy @app-ddnsgo http://192.168.50.32:9876 {
header_up Host {host}
header_up X-Real-IP {remote}
header_up X-Forwarded-For {remote}
header_up X-Forwarded-Port {server_port}
header_up X-Forwarded-Proto "http"
trusted_proxies 172.17.0.0/20
}
}
I try to comment Line 6-11 arbitrarily, but the reponse is NOT meet expectation.