Trusted_proxies isn't working globally with Cloudflare IP ranges

1. The problem I’m having:

I’m trying to get real IPs when I’m behind Cloudflare, and to do that, I need to set trusted_proxies. So I set it globally, but I just get a weird error.

2. Error messages and/or full log output:

Error: adapting config using caddyfile: parsing caddyfile tokens for 'servers': /etc/caddy/Caddyfile:4 - Error during parsing: getting module named 'http.ip_sources.': module not registered: http.ip_sources.

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

I installed Caddy through Cloudsmith Debian repos, and then I installed GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare through caddy add-package

a. System environment:

Debian 11 Bullseye, running on amd64. No Docker.

b. Command:

caddy reload --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

d. My complete Caddy config:

        auto_https disable_redirects
        servers {

#       order listencaddy before respond

(common) {
        @no-ua header !User-Agent
        handle @no-ua {
                respond "Set a user agent" 403
        handle_errors {
                respond "It's dead. {err.status_text}"

import sites/*

5. Links to relevant resources:

The correct syntax is

trusted_proxies static #[snip]

That’s because trusted_proxies implements a system that allows plugins (in this case the built-in http.ip_sources.static plugin) to provide the IP prefixes to trust, and it needs to know which one to use.

I mention this because there’s a better plugin for your exact situation: this module allows you to write

trusted_proxies cloudflare

and get the Cloudflare IPs automatically, and it will even auto-update them for you.

You can get a version of Caddy with that plugin from the download page, just search for “cloudflare-ip”. (or you can compile it in yourself, if you prefer)

By the way, you may also want to configure Cloudflare to delete X-Forwarded-For headers because they are easy to spoof by default.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.