Trusted_proxies isn't working globally with Cloudflare IP ranges

1. The problem I’m having:

I’m trying to get real IPs when I’m behind Cloudflare, and to do that, I need to set trusted_proxies. So I set it globally, but I just get a weird error.

2. Error messages and/or full log output:

Error: adapting config using caddyfile: parsing caddyfile tokens for 'servers': /etc/caddy/Caddyfile:4 - Error during parsing: getting module named 'http.ip_sources.173.245.48.0/20': module not registered: http.ip_sources.173.245.48.0/20

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

I installed Caddy through Cloudsmith Debian repos, and then I installed GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare through caddy add-package github.com/caddy-dns/cloudflare.

a. System environment:

Debian 11 Bullseye, running on amd64. No Docker.

b. Command:

caddy reload --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

d. My complete Caddy config:

{
        auto_https disable_redirects
        servers {
                trusted_proxies 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
        }
}

#{
#       order listencaddy before respond
#}

(common) {
        tls hi@odyssey346.dev
        @no-ua header !User-Agent
        handle @no-ua {
                respond "Set a user agent" 403
        }
        handle_errors {
                respond "It's dead. {err.status_text}"
        }
}

import sites/*

5. Links to relevant resources:

The correct syntax is

trusted_proxies static 173.245.48.0/20 #[snip]

That’s because trusted_proxies implements a system that allows plugins (in this case the built-in http.ip_sources.static plugin) to provide the IP prefixes to trust, and it needs to know which one to use.

I mention this because there’s a better plugin for your exact situation: this module allows you to write

trusted_proxies cloudflare

and get the Cloudflare IPs automatically, and it will even auto-update them for you.

You can get a version of Caddy with that plugin from the download page, just search for “cloudflare-ip”. (or you can compile it in yourself, if you prefer)


By the way, you may also want to configure Cloudflare to delete X-Forwarded-For headers because they are easy to spoof by default.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.