1. Caddy version (caddy version
):
2.2.1
2. How I run Caddy:
Running caddy via docker-compose in a debian VM (proxmox host environment)
a. System environment:
latest debian
docker version 19.03.13
b. Command:
docker-compose up -d
c. Service/unit/compose file:
full Dockerfile
RUN xcaddy build v2.2.1 \
--with github.com/caddy-dns/cloudflare@latest \
--with github.com/greenpau/caddy-auth-jwt \
--with github.com/greenpau/caddy-auth-portal \
--with github.com/kirsch33/format-encoder@latest
full docker-compose.yml
version: "3.7"
services:
caddy:
build:
context: .
dockerfile: Dockerfile
container_name: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
environment:
- CLOUDFARE_EMAIL=MY_EMAIL
- CLOUDFARE_API_TOKEN=MY_TOKEN
volumes:
- /web/Caddyfile:/etc/caddy/Caddyfile
- /web/auth:/authdb
- /web/site:/srv
- /var/docks/caddy/data:/data
- /var/docks/caddy/config:/config
d. My complete Caddyfile or JSON config:
https://greatwhitelab.net {
route /auth* {
auth_portal {
path /auth
backends {
local_backend {
method local
path /authdb/users.json
realm local
}
}
cookie_domain greatwhitelab.net
jwt {
token_name access_token
token_secret TOKEN_SECRET
token_issuer TOKEN_ISSUER
}
ui {
links {
"Plex" https://plex.greatwhitelab.net
}
}
}
}
route {
redir https://greatwhitelab.net/auth 302
}
tls atki224@g.uky.edu {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
encode gzip
header {
header_up X-Forwarded-For {>CF-Connecting-IP}
Strict-Transport-Security max-age=31536000;
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection 1
}
log {
format formatted "{request>headers>X-Forwarded-For} {ts} {request>method} {request>uri} {request>proto} {status}"
output file /authdb/access.log {
roll_size 50MiB
roll_keep 5
roll_keep_for 48h
}
}
}
3. The problem Iām having:
Apologies for posting twice within short order. I have withdrawn my other thread after researching my problem more. If you read what I posted last night, please ignore and read below instead:
Iām trying to setup fail2ban while using Cloudflare proxy service. I have my auth logs formatted correctly to see the failed attempts and the corresponding client IP by passing the X-Forwarded-For header to the output log however the problem is that IP tables cannot read headers with full SSL enabledā¦ so all I can ever read from ip tables is the Cloudflare sever IP that is being passed as RemoteAddr on the request.
I need to be able to rewrite RemoteAddr to be equal to the value Cloudflare sets in the X-Forwarded-For header for this to work. I understand in Caddy v1 the realip module provided this functionality and Iāve seen some posts mention it but with no follow up, such as the post below:
Can anyone shed some light on if the ability to set RemoteAddr was ever added to caddy v2, if so what that may look like? Any pointers to get this working would be helpful.
4. Error messages and/or full log output:
[āACTUAL_CLIENT_IPā] 2020-10-26T01:40:10Z POST /auth HTTP/1.1 401
5. What I already tried:
See above