Not understanding new trusted_proxies rules

Solution:

  1. trusted_proxies as a snippet, call it under every reverse_proxy
  2. I didn’t have tls internal set up so added that in. Works fine now.
  3. SSL/TLS set to Full in Cloudflare

Updated to 2.5 and the trusted_proxies change is messing with my setup. I do use Cloudflare proxy in front of my setup, and am trying to figure out where the trusted_proxy block needs to go. My Google-fu is failing and it doesn’t seem to have a good page in the wiki.

Something like this in global options:

trusted_proxies {
        173.245.48.0/20
        103.21.244.0/22
        103.22.200.0/22
        103.31.4.0/22
        141.101.64.0/18
        108.162.192.0/18
        190.93.240.0/20
        188.114.96.0/20
        197.234.240.0/22
        198.41.128.0/17
        162.158.0.0/15
        104.16.0.0/13
        104.24.0.0/14
        172.64.0.0/13
        131.0.72.0/22
}

What I have now (before the update):

(headers) {
        header {
                Strict-Transport-Security max-age=31536000;
                X-Content-Type-Options nosniff
                X-Frame-Options DENY
                Referrer-Policy no-referrer-when-downgrade
                X-XSS-Protection 1
        }
}
collabora.$DOMAIN {
        encode gzip
        @collabora {
                path /loleaflet/*
                path /hosting/discovery
                path /hosting/capabilities
                path /lool/*
        }
        reverse_proxy @collabora 172.16.0.112:9980
}

drive.$DOMAIN {
        reverse_proxy 172.16.0.252:8080
}

family.$DOMAIN {
        reverse_proxy 172.16.0.169:8080
}

Then for Nextcloud (drive.$DOMAIN), this is the Caddyfile

:8080 {
        root * /srv/nextcloud
        file_server
        encode gzip zstd
        php_fastcgi unix//run/php/php8.0-fpm.sock
        header {
                Strict-Transport-Security max-age=31536000;
        }

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301

        @forbidden {
                path /.htaccess
                path /data/*
                path /config/*
                path /db_structure
                path /.xml
                path /README
                path /3rdparty/*
                path /lib/*
                path /templates/*
                path /occ
                path /console.php
        }
        respond @forbidden 404
}

It’s a subdirective of reverse_proxy:

reverse_proxy 172.16.0.169:8080 {
	trusted_proxies 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
}
2 Likes

Okay, it’s at least reloading the Caddyfile now, but Cloudflare is throwing SSL handshake errors, even after purging the cache.

That’s not a problem with trusted_proxies, that’s unrelated.

Yes, correct, sorry. Now I need to figure out why that’s happening. Appreciate the help.

Any plans of being able to declare trusted_proxies globally?

No plans for that right now.

You can make a snippet and copy it into each of your reverse_proxy.

Went from full encryption in Cloudflare to flexible to get rid of the handshake error, now I’m getting timeouts.

Figured it out, edited post with final solution.