Not understanding new trusted_proxies rules


  1. trusted_proxies as a snippet, call it under every reverse_proxy
  2. I didn’t have tls internal set up so added that in. Works fine now.
  3. SSL/TLS set to Full in Cloudflare

Updated to 2.5 and the trusted_proxies change is messing with my setup. I do use Cloudflare proxy in front of my setup, and am trying to figure out where the trusted_proxy block needs to go. My Google-fu is failing and it doesn’t seem to have a good page in the wiki.

Something like this in global options:

trusted_proxies {

What I have now (before the update):

(headers) {
        header {
                Strict-Transport-Security max-age=31536000;
                X-Content-Type-Options nosniff
                X-Frame-Options DENY
                Referrer-Policy no-referrer-when-downgrade
                X-XSS-Protection 1
collabora.$DOMAIN {
        encode gzip
        @collabora {
                path /loleaflet/*
                path /hosting/discovery
                path /hosting/capabilities
                path /lool/*
        reverse_proxy @collabora

drive.$DOMAIN {

family.$DOMAIN {

Then for Nextcloud (drive.$DOMAIN), this is the Caddyfile

:8080 {
        root * /srv/nextcloud
        encode gzip zstd
        php_fastcgi unix//run/php/php8.0-fpm.sock
        header {
                Strict-Transport-Security max-age=31536000;

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301

        @forbidden {
                path /.htaccess
                path /data/*
                path /config/*
                path /db_structure
                path /.xml
                path /README
                path /3rdparty/*
                path /lib/*
                path /templates/*
                path /occ
                path /console.php
        respond @forbidden 404

It’s a subdirective of reverse_proxy:

reverse_proxy {

Okay, it’s at least reloading the Caddyfile now, but Cloudflare is throwing SSL handshake errors, even after purging the cache.

That’s not a problem with trusted_proxies, that’s unrelated.

Yes, correct, sorry. Now I need to figure out why that’s happening. Appreciate the help.

Any plans of being able to declare trusted_proxies globally?

No plans for that right now.

You can make a snippet and copy it into each of your reverse_proxy.

Went from full encryption in Cloudflare to flexible to get rid of the handshake error, now I’m getting timeouts.

Figured it out, edited post with final solution.

This topic was automatically closed after 30 days. New replies are no longer allowed.