Configuring Caddy with the Fly proxy as a trusted proxy along with passing the client IP

Show & Tell
1

With the 2.7.3 release of Caddy this last week we get a new feature that helps us pass a more secure client IP to Caddy through the custom header that Fly uses. This change was merged at the end of March but is now available in a major release.

Specifically this means that the client IP Fly proxy sets as the Fly-Client-IP header can be passed to Caddy, as opposed to using the default X-Forwarded-For header. With the following configuration options, Caddy assigns the client IP from Fly-Client-IP to a new client_ip field. My understanding is that the Fly-Client-IP is more secure because it’s not as easily forged as X-Forwarded-For. Before there was only a remote_ip field which would confuse the difference between proxy and client IP.

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "trusted_proxies": {
            "source": "static",
            "ranges": [
              "172.16.0.0/16"
            ]
          },
          "client_ip_headers": [
            "Fly-Client-IP",
            "X-Forwarded-For"
          ]
        }
      }
    }
  }
}

I believe this is the right trusted proxy range but please do correct me if I’m wrong about that… or anything else I might be misunderstanding about for that matter.

Some relevant resources:

2 Likes
2

Nice - this means that the real ip will be passed through ?

Did you even get this working as a Caddyfile format with an example of GitHub ? I would like to try this out.

cheers

3

Late response here, just saw your question. client_ip is a Caddy attribute that’s used internally in Caddy as well as by Caddy Modules. So this means any Caddy features that rely on the client IP will work correctly and that the client IP being passed to Caddy is more likely to be correct due to Fly Proxy providing extra security with the Fly-Client-IP header.

I write my Caddy configuration using JSON directly but it looks like you can do this in a Caddyfile like this: