With the 2.7.3 release of Caddy this last week we get a new feature that helps us pass a more secure client IP to Caddy through the custom header that Fly uses. This change was merged at the end of March but is now available in a major release.
Specifically this means that the client IP Fly proxy sets as the Fly-Client-IP header can be passed to Caddy, as opposed to using the default X-Forwarded-For header. With the following configuration options, Caddy assigns the client IP from Fly-Client-IP to a new client_ip field. My understanding is that the Fly-Client-IP is more secure because it’s not as easily forged as X-Forwarded-For. Before there was only a remote_ip field which would confuse the difference between proxy and client IP.
{
"apps": {
"http": {
"servers": {
"srv0": {
"trusted_proxies": {
"source": "static",
"ranges": [
"172.16.0.0/16"
]
},
"client_ip_headers": [
"Fly-Client-IP",
"X-Forwarded-For"
]
}
}
}
}
}
I believe this is the right trusted proxy range but please do correct me if I’m wrong about that… or anything else I might be misunderstanding about for that matter.
Some relevant resources: