dns-over-https
dns-over-https copied to clipboard
m13253
Cannot not handle X-Forwarded-For properly
Using caddy as reverse proxy and Cloudflare as CDN service.
Cannot read client real IP with header X-Forwarded-For
Part of caddy configuration:
{
"match": [
{
"host": ["example.com"]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"match": [
{
"path": ["/dns-query"]
}
],
"handle": [
{
"handler": "reverse_proxy",
"headers": {
"request": {
"set": {
"X-Forwarded-For": ["{http.request.header.CF-Connecting-IP}"]
}
}
},
"upstreams": [
{
"dial": "127.0.0.1:8053"
}
]
}
]
},
{
"handle": [
{
"handler": "file_server",
"root": "/path/to/caddy"
}
],
"terminal": true
}
]
}
]
}
If I replace X-Forwarded-For with X-Real-IP, then the server is able to read client real IP. I don't know if this is caused by caddy or dns-over-https.
Doh-server is programmed to require the client IP to be a globally routable IP. (In other words, if your server is in the same private network with your client, doh-server may see something like 192.168.114.191 and decide to ignore that, since it cannot help with GeoDNS.)
Can you check whether the submitted X-Forwarded-For IP is a globally routable one?
If there are multiple X-Forwarded-For IPs, doh-server deletes any non-global IPs and then chooses the farthest one on the proxy chain for GeoDNS.
