"realip" to the app behind the reverse proxy

1. Output of caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I run Caddy:

a. System environment:

On a dedicated Linux VM
As a gate from internet to 3 servers (4 services), with reverse proxy

a. System environment:

ubuntu 20.04
systemd

b. Command:

sudo systemctl enable --now caddy

c. Service/unit/compose file:

P# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

# Caddyfile
# 13/12/2022 - initial
# 19/12/2022 - change check on utl and countries to allow robots on bris.fr
#
{
	#debug
	order rate_limit before basicauth
}

(checks) {
	# check if the client is local
	@is_local remote_ip 192.168.9.0/24

	# check if the client is from an authorised country (with the plugin caddy-maxmind-geolocation)
	@in_countries {
		maxmind_geolocation {
			db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb"
			allow_countries FR PT DK SE NL AT BE DE LU IE IT ES GI GB CH MC AD LI NO VA SM
		}
	}

	# check if the url is wp admin... and so authorised from local only 
	@url_wp_adm {
		path /wp-admin* /wp-login* /wp-comments*
	}
}

(rateLimit) {
	# rate limit for all client (static_limit) and each client (dynamic_limit)
	rate_limit {
		distributed
		zone static_limit {
			key static
			events 100
			window 10s
		}
		zone dynamic_limit {
			key {remote_host}
			events 400
			window 1m
		}
	}
}

(logsW) {
	log {
		output file /var/log/caddy/access.log
	}
}

(handleProxyWP) {
	# handle the reverse proxy for WordPress, based on the previous snippet with the target as argument
	import checks

	handle @is_local {
		reverse_proxy {args.0}
	}

	handle @url_wp_adm {
		abort
	}

	handle {
		import rateLimit
		reverse_proxy {args.0}
	}
}

(handleProxyPrivate) {
	# handle the reverse proxy for private sites, based on the previous snippet with the target as argument
	import checks

	handle @is_local {
		reverse_proxy {args.0}
	}

	handle @in_countries {
		import rateLimit
		reverse_proxy {args.0}
	}

	handle {
		abort
	}
}

www.atelier.bris.fr bris.fr www.bris.fr {
	redir https://atelier.bris.fr{uri}
}

atelier.bris.fr {
	handle_path /defaultsite {
		redir https://atelier.bris.fr
	}

	import handleProxyWP "http://atelier.lan.bris.fr:80"
	import logsW
}

hestia.bris.fr {
	import handleProxyPrivate "http://hestia.lan.bris.fr:8080"
	import logsW
}

crios.bris.fr {
	import handleProxyPrivate "http://crios.lan.bris.fr:5000"
	import logsW
}

acros.i234.me acros.bris.fr {
	import handleProxyPrivate "http://crios.lan.bris.fr:7000"
	import logsW
}

3. The problem I’m having:

I have domoticz behind caddy and I’d like to get the real IP of the host at the origin of the request
Before Caddy (last week) the reverse proxy was done by a Synology NAS and I’ve set:

Upgrade $http_upgrade
Connection $connection_upgrade
Host	$host
X-Real-IP $remote_addr
X-Forwarded-For $proxy_add_x_forwarded_for
X-Scheme $scheme
X-Frame-Options SAMEORIGIN
X-Forwarded-Proto $scheme

I’m not an http guy and I know very few about proxy and nginx :frowning:

4. Error messages and/or full log output:

no error message
in domoticz I’ve got

2022-12-19 22:55:42.099 Error: Failed login attempt from 192.168.9.207 for user 'er' !
2022-12-19 22:58:22.831 Error: Failed login attempt from 192.168.9.207 for user 'er' !

192.168.9.207 is the IP of Caddy not the host of the request (the same from my LAN and from the WAN)

5. What I already tried:

A lot of combinations with X-Forwarded-* with no success
I’ve started:
“You’ll need to use the realip plugin, which replaces the RemoteAddr field in the request as early as possible with the value from the X-Forwarded-For header.”
But
“Effective as of Caddy 2.5.x, this plugin no longer works. See the following thread for additional information on the specifics: Trouble with Logging Changes

6. Links to relevant resources:

Caddy passes through the original client IP via the X-Forwarded-For header automatically.

Do you have some other proxy in front of Caddy? If so, you need to set up trusted_proxies.

Or, do you have something that might be changing the TCP packets to make it look like they come from the same machine?

Turn on debug global option and show us your logs.

1 Like

“automatically” So, I understand, there is nothing to do ; am I right?

there is from outside
router → caddy → domoticz

form inside (I suppose) DNS → router → caddy → domoticz (as before when Synology was doing the reverse-proxy)

Some log

2022/12/20 07:47:37.838 WARN    Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 8}
2022/12/20 07:47:37.839 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2022/12/20 07:47:37.840 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS  {"server_name": "srv0", "https_port": 443}
2022/12/20 07:47:37.841 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2022/12/20 07:47:37.842 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2022/12/20 07:47:37.843 DEBUG   http    starting server loop    {"address": "[::]:443", "tls": true, "http3": true}
2022/12/20 07:47:37.844 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2022/12/20 07:47:37.845 DEBUG   http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2022/12/20 07:47:37.845 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2022/12/20 07:47:37.846 INFO    http    enabling automatic TLS certificate management   {"domains": ["hestia.bris.fr"]}
2022/12/20 07:47:37.847 DEBUG   tls     loading managed certificate     {"domain": "hestia.bris.fr", "expiration": "2023/03/12 16:44:05.000", "issuer_key": "acme-v02.api.letsencrypt.org-directory", "storage": "FileStorage:/root/.local/share/caddy"}
2022/12/20 07:47:37.849 DEBUG   tls.cache       added certificate to cache      {"subjects": ["hestia.bris.fr"], "expiration": "2023/03/12 16:44:05.000", "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "7bc6364429263014cd5a9e28ae0f5881fa153588ac148b339571c0b81e062d68", "cache_size": 1, "cache_capacity": 10000}
2022/12/20 07:47:37.850 DEBUG   events  event   {"name": "cached_managed_cert", "id": "4a16750a-7eb1-4d8d-b60c-80d96b62958d", "origin": "tls", "data": {"sans":["hestia.bris.fr"]}}
2022/12/20 07:47:37.851 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2022/12/20 07:47:37.851 INFO    serving initial configuration
2022/12/20 07:47:37.852 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000189420"}
2022/12/20 07:47:37.853 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2022/12/20 07:47:37.858 INFO    tls     finished cleaning storage units
2022/12/20 07:47:39.627 DEBUG   events  event   {"name": "tls_get_certificate", "id": "13167e3d-cd42-4718-b35b-72270de4bc44", "origin": "tls", "data": {"client_hello":{"CipherSuites":[39578,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"hestia.bris.fr","SupportedCurves":[60138,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[56026,772,771],"Conn":{}}}}
2022/12/20 07:47:39.629 DEBUG   tls.handshake   choosing certificate    {"identifier": "hestia.bris.fr", "num_choices": 1}
2022/12/20 07:47:39.629 DEBUG   tls.handshake   default certificate selection results   {"identifier": "hestia.bris.fr", "subjects": ["hestia.bris.fr"], "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "7bc6364429263014cd5a9e28ae0f5881fa153588ac148b339571c0b81e062d68"}
2022/12/20 07:47:39.630 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.9.1", "remote_port": "59738", "subjects": ["hestia.bris.fr"], "managed": true, "expiration": "2023/03/12 16:44:05.000", "hash": "7bc6364429263014cd5a9e28ae0f5881fa153588ac148b339571c0b81e062d68"}
2022/12/20 07:47:39.637 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:39.644 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.006600614, "request": {"remote_ip": "192.168.9.1", "remote_port": "59738", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/json.htm?type=command&param=getlog&lastlogtime=1671522423&loglevel=268435455", "headers": {"Accept-Language": ["en-US,en;q=0.9,fr;q=0.8"], "Sec-Ch-Ua-Mobile": ["?0"], "Accept-Encoding": ["gzip, deflate, br"], "Accept": ["application/json, text/plain, */*"], "X-Forwarded-Host": ["hestia.bris.fr"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "X-Forwarded-For": ["192.168.9.1"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Sec-Fetch-Dest": ["empty"], "Referer": ["https://hestia.bris.fr/"], "X-Forwarded-Proto": ["https"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-Mode": ["cors"], "Cookie": []}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Access-Control-Allow-Origin": ["*"], "Content-Type": ["application/json;charset=UTF-8"], "Content-Encoding": ["gzip"], "Content-Length": ["244"], "Cache-Control": ["no-cache"], "Pragma": ["no-cache"]}, "status": 200}
2022/12/20 07:47:43.911 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:43.920 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.007816159, "request": {"remote_ip": "192.168.9.1", "remote_port": "59738", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/", "headers": {"Sec-Ch-Ua-Mobile": ["?0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Accept-Encoding": ["gzip, deflate, br"], "X-Forwarded-For": ["192.168.9.1"], "X-Forwarded-Host": ["hestia.bris.fr"], "X-Forwarded-Proto": ["https"], "Accept-Language": ["en-US,en;q=0.9,fr;q=0.8"], "Sec-Fetch-Mode": ["navigate"], "Upgrade-Insecure-Requests": ["1"], "Sec-Fetch-User": ["?1"], "Sec-Fetch-Site": ["same-origin"], "If-Modified-Since": ["Sat, 08 Oct 2022 05:45:39 GMT"], "Cache-Control": ["max-age=0"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Cookie": [], "Service-Worker-Navigation-Preload": ["true"], "Sec-Fetch-Dest": ["document"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {}, "status": 304}
2022/12/20 07:47:44.079 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:44.080 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:44.087 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.00675171, "request": {"remote_ip": "192.168.9.1", "remote_port": "59738", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/styles/default/custom.css", "headers": {"X-Forwarded-For": ["192.168.9.1"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "Sec-Fetch-Dest": ["empty"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Accept": ["text/css,*/*;q=0.1"], "Sec-Fetch-Site": ["same-origin"], "Cookie": [], "X-Forwarded-Host": ["hestia.bris.fr"], "Referer": ["https://hestia.bris.fr/"], "Accept-Language": ["en-US,en;q=0.9,fr;q=0.8"], "Sec-Ch-Ua-Mobile": ["?0"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "X-Forwarded-Proto": ["https"], "Accept-Encoding": ["gzip, deflate, br"], "Sec-Fetch-Mode": ["no-cors"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Encoding": ["gzip"], "Access-Control-Allow-Origin": ["*"], "X-Xss-Protection": ["1; mode=block"], "Content-Type": ["text/css;charset=UTF-8"], "Content-Length": ["501"], "X-Content-Type-Options": ["nosniff"]}, "status": 200}
2022/12/20 07:47:44.091 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.00838713, "request": {"remote_ip": "192.168.9.1", "remote_port": "59738", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/styles/default/custom.js", "headers": {"Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-Mode": ["no-cors"], "Referer": ["https://hestia.bris.fr/"], "X-Forwarded-For": ["192.168.9.1"], "Sec-Ch-Ua-Mobile": ["?0"], "Accept-Language": ["en-US,en;q=0.9,fr;q=0.8"], "Cookie": [], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Sec-Fetch-Dest": ["empty"], "Accept-Encoding": ["gzip, deflate, br"], "Accept": ["*/*"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "X-Forwarded-Host": ["hestia.bris.fr"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "X-Forwarded-Proto": ["https"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Encoding": ["gzip"], "Content-Type": ["application/javascript;charset=UTF-8"], "Access-Control-Allow-Origin": ["*"], "Content-Length": ["679"], "X-Content-Type-Options": ["nosniff"], "X-Xss-Protection": ["1; mode=block"]}, "status": 200}
2022/12/20 07:47:46.263 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:46.277 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.013147976, "request": {"remote_ip": "192.168.9.1", "remote_port": "59738", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/json.htm?type=command&param=getconfig", "headers": {"User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "X-Forwarded-Proto": ["https"], "Sec-Fetch-Mode": ["cors"], "Sec-Fetch-Dest": ["empty"], "Sec-Ch-Ua-Mobile": ["?0"], "Accept-Encoding": ["gzip, deflate, br"], "X-Forwarded-Host": ["hestia.bris.fr"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Cookie": [], "X-Forwarded-For": ["192.168.9.1"], "Sec-Fetch-Site": ["same-origin"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "Accept": ["application/json, text/javascript, */*; q=0.01"], "Referer": ["https://hestia.bris.fr/"], "Accept-Language": ["en-US,en;q=0.9,fr;q=0.8"], "X-Requested-With": ["XMLHttpRequest"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Length": ["291"], "Cache-Control": ["no-cache"], "Content-Encoding": ["gzip"], "Pragma": ["no-cache"], "Access-Control-Allow-Origin": ["*"], "Content-Type": ["application/json;charset=UTF-8"]}, "status": 200}
2022/12/20 07:47:46.428 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:46.436 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.006835563, "request": {"remote_ip": "192.168.9.1", "remote_port": "59738", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/json.htm?type=command&param=getversion", "headers": {"Referer": ["https://hestia.bris.fr/"], "Accept-Encoding": ["gzip, deflate, br"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Accept-Language": ["en-US,en;q=0.9,fr;q=0.8"], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "X-Requested-With": ["XMLHttpRequest"], "Cookie": [], "X-Forwarded-For": ["192.168.9.1"], "Sec-Fetch-Dest": ["empty"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Accept": ["application/json, text/javascript, */*; q=0.01"], "X-Forwarded-Proto": ["https"], "Sec-Fetch-Mode": ["cors"], "Sec-Fetch-Site": ["same-origin"], "X-Forwarded-Host": ["hestia.bris.fr"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Access-Control-Allow-Origin": ["*"], "Content-Length": ["319"], "Cache-Control": ["no-cache"], "Pragma": ["no-cache"], "Content-Type": ["application/json;charset=UTF-8"], "Content-Encoding": ["gzip"]}, "status": 200}
2022/12/20 07:47:46.462 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:46.468 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.005596841, "request": {"remote_ip": "192.168.9.1", "remote_port": "59738", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/json.htm?type=command&param=getauth", "headers": {"Cookie": [], "X-Requested-With": ["XMLHttpRequest"], "Sec-Fetch-Site": ["same-origin"], "X-Forwarded-Host": ["hestia.bris.fr"], "Referer": ["https://hestia.bris.fr/"], "Accept-Encoding": ["gzip, deflate, br"], "X-Forwarded-For": ["192.168.9.1"], "Sec-Fetch-Dest": ["empty"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Fetch-Mode": ["cors"], "Accept-Language": ["en-US,en;q=0.9,fr;q=0.8"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Accept": ["application/json, text/javascript, */*; q=0.01"], "X-Forwarded-Proto": ["https"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Cache-Control": ["no-cache"], "Pragma": ["no-cache"], "Access-Control-Allow-Origin": ["*"], "Content-Type": ["application/json;charset=UTF-8"], "Content-Encoding": ["gzip"], "Content-Length": ["98"]}, "status": 200}
2022/12/20 07:47:46.683 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:46.696 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.011503213, "request": {"remote_ip": "192.168.9.1", "remote_port": "59738", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/json.htm?type=command&param=getlog&lastlogtime=0&loglevel=268435455", "headers": {"Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-Mode": ["cors"], "Sec-Ch-Ua-Mobile": ["?0"], "Cookie": [], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "X-Forwarded-Proto": ["https"], "Accept": ["application/json, text/plain, */*"], "Accept-Language": ["en-US,en;q=0.9,fr;q=0.8"], "Accept-Encoding": ["gzip, deflate, br"], "Sec-Fetch-Dest": ["empty"], "Referer": ["https://hestia.bris.fr/"], "X-Forwarded-For": ["192.168.9.1"], "X-Forwarded-Host": ["hestia.bris.fr"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Access-Control-Allow-Origin": ["*"], "Cache-Control": ["no-cache"], "Content-Length": ["3183"], "Content-Type": ["application/json;charset=UTF-8"], "Content-Encoding": ["gzip"], "Pragma": ["no-cache"]}, "status": 200}
2022/12/20 07:47:46.846 DEBUG   events  event   {"name": "tls_get_certificate", "id": "7e9af3c7-2ad2-4963-a03a-15ad3a03dcbb", "origin": "tls", "data": {"client_hello":{"CipherSuites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"hestia.bris.fr","SupportedCurves":[10794,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771],"Conn":{}}}}
2022/12/20 07:47:46.847 DEBUG   tls.handshake   choosing certificate    {"identifier": "hestia.bris.fr", "num_choices": 1}
2022/12/20 07:47:46.848 DEBUG   tls.handshake   default certificate selection results   {"identifier": "hestia.bris.fr", "subjects": ["hestia.bris.fr"], "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "7bc6364429263014cd5a9e28ae0f5881fa153588ac148b339571c0b81e062d68"}
2022/12/20 07:47:46.849 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.9.1", "remote_port": "59747", "subjects": ["hestia.bris.fr"], "managed": true, "expiration": "2023/03/12 16:44:05.000", "hash": "7bc6364429263014cd5a9e28ae0f5881fa153588ac148b339571c0b81e062d68"}
2022/12/20 07:47:46.855 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:46.862 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.006099685, "request": {"remote_ip": "192.168.9.1", "remote_port": "59747", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/", "headers": {"Sec-Ch-Ua-Platform": ["\"Windows\""], "Upgrade-Insecure-Requests": ["1"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "X-Forwarded-For": ["192.168.9.1"], "X-Forwarded-Proto": ["https"], "X-Forwarded-Host": ["hestia.bris.fr"], "If-Modified-Since": ["Sat, 08 Oct 2022 05:45:39 GMT"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "Accept-Language": ["en-US,en;q=0.9"], "Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-User": ["?1"], "Sec-Ch-Ua-Mobile": ["?0"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Accept-Encoding": ["gzip, deflate, br"], "Sec-Fetch-Dest": ["document"], "Sec-Fetch-Mode": ["navigate"], "Cache-Control": ["max-age=0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {}, "status": 304}
2022/12/20 07:47:46.950 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:46.957 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.00590415, "request": {"remote_ip": "192.168.9.1", "remote_port": "59747", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/styles/default/custom.css", "headers": {"User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Referer": ["https://hestia.bris.fr/"], "Sec-Fetch-Dest": ["style"], "X-Forwarded-For": ["192.168.9.1"], "X-Forwarded-Proto": ["https"], "Accept": ["text/css,*/*;q=0.1"], "Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-Mode": ["no-cors"], "X-Forwarded-Host": ["hestia.bris.fr"], "Accept-Language": ["en-US,en;q=0.9"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Accept-Encoding": ["gzip, deflate, br"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "Sec-Ch-Ua-Mobile": ["?0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Encoding": ["gzip"], "Content-Type": ["text/css;charset=UTF-8"], "Content-Length": ["501"], "Access-Control-Allow-Origin": ["*"], "X-Xss-Protection": ["1; mode=block"], "X-Content-Type-Options": ["nosniff"]}, "status": 200}
2022/12/20 07:47:46.996 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:47.004 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.006357028, "request": {"remote_ip": "192.168.9.1", "remote_port": "59747", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/styles/default/custom.js", "headers": {"Sec-Fetch-Site": ["same-origin"], "Accept-Language": ["en-US,en;q=0.9"], "X-Forwarded-For": ["192.168.9.1"], "X-Forwarded-Host": ["hestia.bris.fr"], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Accept": ["*/*"], "Referer": ["https://hestia.bris.fr/"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Accept-Encoding": ["gzip, deflate, br"], "X-Forwarded-Proto": ["https"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "Sec-Fetch-Mode": ["no-cors"], "Sec-Fetch-Dest": ["script"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Type": ["application/javascript;charset=UTF-8"], "Content-Length": ["679"], "Access-Control-Allow-Origin": ["*"], "X-Content-Type-Options": ["nosniff"], "X-Xss-Protection": ["1; mode=block"], "Content-Encoding": ["gzip"]}, "status": 200}
2022/12/20 07:47:48.258 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:48.264 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.004524618, "request": {"remote_ip": "192.168.9.1", "remote_port": "59747", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/service-worker.js", "headers": {"Sec-Fetch-Mode": ["same-origin"], "Sec-Fetch-Dest": ["serviceworker"], "Accept": ["*/*"], "X-Forwarded-For": ["192.168.9.1"], "X-Forwarded-Proto": ["https"], "X-Forwarded-Host": ["hestia.bris.fr"], "Accept-Encoding": ["gzip, deflate, br"], "Cache-Control": ["max-age=0"], "Service-Worker": ["script"], "Sec-Fetch-Site": ["same-origin"], "Referer": ["https://hestia.bris.fr/"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Accept-Language": ["en-US,en;q=0.9"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Length": ["91"], "Content-Type": ["text/html;charset=UTF-8"], "Set-Cookie": []}, "status": 401}
2022/12/20 07:47:48.450 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:48.459 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.007820651, "request": {"remote_ip": "192.168.9.1", "remote_port": "59747", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/json.htm?type=command&param=getconfig", "headers": {"Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "X-Requested-With": ["XMLHttpRequest"], "X-Forwarded-Host": ["hestia.bris.fr"], "X-Forwarded-Proto": ["https"], "Sec-Fetch-Dest": ["empty"], "Accept-Language": ["en-US,en;q=0.9"], "Accept": ["application/json, text/javascript, */*; q=0.01"], "Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-Mode": ["cors"], "Sec-Ch-Ua-Mobile": ["?0"], "X-Forwarded-For": ["192.168.9.1"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Referer": ["https://hestia.bris.fr/"], "Accept-Encoding": ["gzip, deflate, br"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Cache-Control": ["no-cache"], "Pragma": ["no-cache"], "Content-Encoding": ["gzip"], "Content-Length": ["294"], "Content-Type": ["application/json;charset=UTF-8"], "Access-Control-Allow-Origin": ["*"]}, "status": 200}
2022/12/20 07:47:48.490 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:48.497 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.005282978, "request": {"remote_ip": "192.168.9.1", "remote_port": "59747", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/json.htm?type=command&param=getversion", "headers": {"Sec-Fetch-Dest": ["empty"], "Accept-Language": ["en-US,en;q=0.9"], "X-Requested-With": ["XMLHttpRequest"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "Accept-Encoding": ["gzip, deflate, br"], "Accept": ["application/json, text/javascript, */*; q=0.01"], "Sec-Fetch-Mode": ["cors"], "X-Forwarded-Proto": ["https"], "X-Forwarded-Host": ["hestia.bris.fr"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Referer": ["https://hestia.bris.fr/"], "X-Forwarded-For": ["192.168.9.1"], "Sec-Ch-Ua-Mobile": ["?0"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Sec-Fetch-Site": ["same-origin"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Type": ["application/json;charset=UTF-8"], "Content-Encoding": ["gzip"], "Content-Length": ["211"], "Cache-Control": ["no-cache"], "Pragma": ["no-cache"], "Access-Control-Allow-Origin": ["*"]}, "status": 200}
2022/12/20 07:47:48.508 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:48.514 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.005106219, "request": {"remote_ip": "192.168.9.1", "remote_port": "59747", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/json.htm?type=command&param=getauth", "headers": {"Sec-Fetch-Dest": ["empty"], "Accept-Encoding": ["gzip, deflate, br"], "Sec-Ch-Ua-Mobile": ["?0"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "X-Forwarded-Host": ["hestia.bris.fr"], "X-Requested-With": ["XMLHttpRequest"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""], "Sec-Ch-Ua-Platform": ["\"Windows\""], "Sec-Fetch-Mode": ["cors"], "Referer": ["https://hestia.bris.fr/"], "X-Forwarded-For": ["192.168.9.1"], "X-Forwarded-Proto": ["https"], "Accept": ["application/json, text/javascript, */*; q=0.01"], "Sec-Fetch-Site": ["same-origin"], "Accept-Language": ["en-US,en;q=0.9"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Length": ["73"], "Cache-Control": ["no-cache"], "Pragma": ["no-cache"], "Access-Control-Allow-Origin": ["*"], "Content-Type": ["application/json;charset=UTF-8"]}, "status": 200}
2022/12/20 07:47:48.660 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:48.668 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.006364252, "request": {"remote_ip": "192.168.9.1", "remote_port": "59747", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/json.htm?type=command&param=getlanguage", "headers": {"Sec-Fetch-Dest": ["empty"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Accept-Language": ["en-US,en;q=0.9"], "Accept": ["application/json, text/javascript, */*; q=0.01"], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Fetch-Mode": ["cors"], "X-Forwarded-For": ["192.168.9.1"], "X-Requested-With": ["XMLHttpRequest"], "Sec-Fetch-Site": ["same-origin"], "Referer": ["https://hestia.bris.fr/"], "Accept-Encoding": ["gzip, deflate, br"], "Sec-Ch-Ua-Platform": ["\"Windows\""], "X-Forwarded-Proto": ["https"], "X-Forwarded-Host": ["hestia.bris.fr"], "Sec-Ch-Ua": ["\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\""]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Length": ["67"], "Access-Control-Allow-Origin": ["*"], "Content-Type": ["application/json;charset=UTF-8"], "Cache-Control": ["no-cache"], "Pragma": ["no-cache"]}, "status": 200}
2022/12/20 07:47:49.631 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "hestia.lan.bris.fr:8080", "total_upstreams": 1}
2022/12/20 07:47:49.643 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "hestia.lan.bris.fr:8080", "duration": 0.010498881, "request": {"remote_ip": "192.168.9.1", "remote_port": "59738", "proto": "HTTP/2.0", "method": "GET", "host": "hestia.bris.fr", "uri": "/service-worker.js", "headers": {"Cache-Control": ["max-age=0"], "Referer": ["https://hestia.bris.fr/service-worker.js"], "Sec-Fetch-Dest": ["serviceworker"], "Accept-Language": ["en-US,en;q=0.9,fr;q=0.8"], "Sec-Fetch-Mode": ["same-origin"], "X-Forwarded-For": ["192.168.9.1"], "X-Forwarded-Host": ["hestia.bris.fr"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"], "Accept-Encoding": ["gzip, deflate, br"], "Accept": ["*/*"], "Sec-Fetch-Site": ["same-origin"], "X-Forwarded-Proto": ["https"], "Service-Worker": ["script"], "Cookie": []}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "hestia.bris.fr"}}, "headers": {"Content-Length": ["1055"], "Cache-Control": ["no-cache"], "Access-Control-Allow-Origin": ["*"], "Content-Encoding": ["gzip"], "Pragma": ["no-cache"], "Content-Type": ["application/javascript;charset=UTF-8"]}, "status": 200}

from as small Caddyfile


#
{
        debug
}

hestia.bris.fr {
        @is_local remote_ip 192.168.9.0/24
        handle @is_local {
                reverse_proxy "http://hestia.lan.bris.fr:8080"
        }
}

I’ve just removed the DSM (from Synoly) no longer necessary with Caddy :slight_smile:
So from the LAN it’s My PC → Caddy (192.168.9.207 → Domoticz
No change:
Failed login attempt from 192.168.9.207 for user ‘ss’ !

Yeah, nothing to do, as long as you don’t have another proxy in front of Caddy.

The logs look fine. The remote_ip looks correct I think, and the X-Forwarded-For header is definitely passed though.

Minor thing, you don’t need the quotes here because you don’t have any spaces in your upstream address that would require it. And you don’t need http:// because that’s the default. So you could shorten it to simply reverse_proxy hestia.lan.bris.fr:8080 if you like.

Also, currently your Caddyfile doesn’t do anything with requests that aren’t from 192.168.9.0/24. You should probably add a fallback handle block (one with no matcher) to catch those, so you can explicitly reject those requests I guess. You could use the abort directive or respond 403 or something like that.

That doesn’t seem like a problem with Caddy. It sounds like a problem with your upstream app.

1 Like

Thanks again for your reply
and your advice
I’ve removed the quotes and the http://

Regarding the “your Caddyfile doesn’t do anything with requests that aren’t from 192.168.9.0/24
In my previous reply I put a recude Caddyfile in order to have few logging
The full Caddyfile is at the top of the topic and there is things to do for the other requests

This topic was automatically closed after 30 days. New replies are no longer allowed.