This plugin will no longer be needed in Caddy v2.7.0

[francislavoie]

Just wanted to mention here that this plugin will no longer be needed because of the work done in https://github.com/caddyserver/caddy/pull/5104.

The real client IP will be parsed if trusted_proxies is configured in global options, and the header it's read from can be configured with client_ip_headers (defaulting to X-Forwarded-For). The logs will include it as a new client_ip field.

Compared to this plugin, this approach doesn't affect req.RemoteAddr, that's left intact, but any other modules/handlers that might care to get the real client IP can get it from the request context.

[lxhao61]

When will Caddy v2.7.0 be released?

[francislavoie]

Caddy doesn't follow a release schedule. A release will be made when we have enough to release.

[kirsch33]

thanks for the heads up. i have referenced this discussion on the main page for this repo.

[crapthings]

can i use this for 2.6.4?

how to install this module?

[francislavoie]

No @crapthings. You could build from the master branch though. It's not a plugin, it's changes in Caddy itself.

[mgagnant]

Hello, i use caddy 2.7 beta for testing the recuperation of source IP. I have the field "client_ip" but the ip is the container ip....

where i must put trusted_proxies parameters please ?

after in my PHP code i use : $user_ip = $_SERVER['HTTP_X_FORWARDED_FOR']; echo "IP HTTP_X_FORWARDED_FOR : ".$user_ip."
";

Thanks for your reply.

[francislavoie]

In global options, at the top of your Caddyfile:

{
	servers {
		trusted_proxies static <ips...>
	}
}

[mgagnant]

Thanks a lot for your Quick answer. Unfortunately still the Same problem. The client_ip value is 10.0.0.3 which is the container IP. maybe i made a mistake on trusted_proxies. What are the statics ips I must enter ? I try with 10.0.0.3 . Thanks again

[francislavoie]

If you're in Docker then you might be running into the problem where Docker is using a userland proxy which causes all TCP packets to appear that they're coming from Docker itself. That's not something you can fix with Caddy itself, it's a problem with Docker. See https://github.com/moby/moby/issues/15086

[mgagnant]

Ok thanks again for your quick answer. I will investigate on docker.

[EnfermeraSexy]

I'm using the new sintax but i don't know where I'm failing. I want to pass the IP present in the cloudflare header but it's not working as i thought. For example, with this config:

{
	servers {
		trusted_proxies static cloudflare_ips_range
		client_ip_headers CF-Connecting-IP
	}
}
domain.example {
	reverse_proxy example {
		header_up X-Forwarded-For {client_ip}
	}
}

The application is not getting the header. If i change the trusted header to: client_ip_headers X-Forwarded-For

Then it works. Why is not taking the IP from the CF header? Did I misunderstood something?

[francislavoie]

cloudflare_ips_range is not a thing.

If you want to automatically get the trusted proxies IPs for cloudflare, use this plugin https://github.com/WeidiDeng/caddy-cloudflare-ip instead of static.

Also remove your header_up X-Forwarded-For line, that's incorrect; Caddy will automatically set that header correctly if trusted_proxies is correct.

[EnfermeraSexy]

cloudflare_ips_range was just and example to not write all the IPs.

The problem is that some applications does not properly read the header if it contains multiple IP address client_ip, cloudflare_ip. That's why I want to overwrite the header and just set the client IP without the intermediate.

[francislavoie]

The problem is that some applications does not properly read the header if it contains multiple IP address

Then those should be fixed. They're not conformant to spec otherwise.

Also you might need to use Cf-Connecting-Ip and not CF-Connecting-IP (lowercase f and p)