Not understanding new trusted_proxies rules


  1. trusted_proxies as a snippet, call it under every reverse_proxy
  2. I didn’t have tls internal set up so added that in. Works fine now.
  3. SSL/TLS set to Full in Cloudflare

Updated to 2.5 and the trusted_proxies change is messing with my setup. I do use Cloudflare proxy in front of my setup, and am trying to figure out where the trusted_proxy block needs to go. My Google-fu is failing and it doesn’t seem to have a good page in the wiki.

Something like this in global options:

trusted_proxies {

What I have now (before the update):

(headers) {
        header {
                Strict-Transport-Security max-age=31536000;
                X-Content-Type-Options nosniff
                X-Frame-Options DENY
                Referrer-Policy no-referrer-when-downgrade
                X-XSS-Protection 1
collabora.$DOMAIN {
        encode gzip
        @collabora {
                path /loleaflet/*
                path /hosting/discovery
                path /hosting/capabilities
                path /lool/*
        reverse_proxy @collabora

drive.$DOMAIN {

family.$DOMAIN {

Then for Nextcloud (drive.$DOMAIN), this is the Caddyfile

:8080 {
        root * /srv/nextcloud
        encode gzip zstd
        php_fastcgi unix//run/php/php8.0-fpm.sock
        header {
                Strict-Transport-Security max-age=31536000;

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301

        @forbidden {
                path /.htaccess
                path /data/*
                path /config/*
                path /db_structure
                path /.xml
                path /README
                path /3rdparty/*
                path /lib/*
                path /templates/*
                path /occ
                path /console.php
        respond @forbidden 404

It’s a subdirective of reverse_proxy:

reverse_proxy {

Okay, it’s at least reloading the Caddyfile now, but Cloudflare is throwing SSL handshake errors, even after purging the cache.

That’s not a problem with trusted_proxies, that’s unrelated.

Yes, correct, sorry. Now I need to figure out why that’s happening. Appreciate the help.

Any plans of being able to declare trusted_proxies globally?

No plans for that right now.

You can make a snippet and copy it into each of your reverse_proxy.

Went from full encryption in Cloudflare to flexible to get rid of the handshake error, now I’m getting timeouts.

Figured it out, edited post with final solution.