Hello! I have a question about the headers.request.set functionality. I currently have this block (sorry it’s in TOML–it’s automagically converted to JSON at runtime):
I am wondering if there’s any way to conditionally set X-Real-IP to Cloudfront-Viewer-Address, but if that header is not there, use {http.request.remote.host} as a default?
I did see handler.headers.replace, but I think that does a wholesale replacement–not a conditional replacement?
Also if you have Cloudflare in front of Caddy, you should configure trusted_proxies (http server config), you can use GitHub - WeidiDeng/caddy-cloudflare-ip to automate loading Cloudflare’s IP ranges to trust those, and you can configure client_ip_headers to Cf-Connecting-Ip which is the header Cloudflare uses to pass through the original client IP.
I had to add those, or the real IP address of the connecting to client wasn’t reported correctly to upstream services (like WordPress). Are you saying I should remove the set statement I have, and they should already be set correctly?
Also if you have Cloudflare in front of Caddy, you should configure trusted_proxies (http server config), you can use GitHub - WeidiDeng/caddy-cloudflare-ip to automate loading Cloudflare’s IP ranges to trust those, and you can configure client_ip_headers to Cf-Connecting-Ip which is the header Cloudflare uses to pass through the original client IP.
I’m a little confused–I am using AWS Cloudfront in front of Caddy, should I use the Cloudflare IP ranges you mentioned for trusted_proxy settings?
Thank you for the info @francislavoie , I think this may come down to an issue with an intermediary proxy (Fabio) that is running on each Nomad server as another ingress layer (yes, I know it’s gross). I am going to simplify this approach eventually (by standardizing on a global Caddy deployment), at which point I think this issue will go away. Thank you!!
You have another proxy between Caddy and your apps? Then yeah make sure that proxy is configured correctly to pass through X-Forwarded-For and it would work fine.