Running GoPhish with Caddy

If you have gotten the error for Forbidden - referrer link (Chrome) or Invalid CSRF token (Mozilla).

Solution below:

example.domain {
reverse_proxy {
header_up X-Real-IP {remote}
header_up X-Forwarded-For {remote}
header_up -Referer
header_up -Host
header_up -X-Forwarded-Proto

Documentation and examples of how to put head_up as sub-directive were hard to find.

Make sure to do the following to you config.json on the gophish server. Changes in bold.

“admin_server”: {
“listen_url”: “”,
“use_tls”: false,
“cert_path”: “gophish_admin.crt”,
“key_path”: “gophish_admin.key”,
“trusted_origins”: []
“phish_server”: {
“listen_url”: “”,
“use_tls”: false,
“cert_path”: “example.crt”,
“key_path”: “example.key”
“db_name”: “sqlite3”,
“db_path”: “gophish.db”,
“migrations_prefix”: “db/db_”,
“contact_address”: “”,
“logging”: {
“filename”: “”,
“level”: “”

Please fill out the help topic template, as per the forum rules.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.