rhino/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-03-25 11:19:21 -07:00
Code Issues Packages Projects Releases Wiki Activity

Caddy deprecated remote_ip's forwarded mode, in favor of client_ip_headers paired with trusted_proxies. Allows configuring which headers to use to determine the client's IP address.

tsanga13
2025-08-03 23:07:36 -05:00
parent 8d0449a554
commit a1e1c8c34b
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
Proxy-examples.md

@@ -24,6 +24,15 @@ If you prefer, you can also directly specify a value instead of substituting an
```Caddy ```Caddy
# Uncomment this in addition with the import admin_redir statement allow access to the admin interface only from local networks # Uncomment this in addition with the import admin_redir statement allow access to the admin interface only from local networks
# {
# servers {
# trusted_proxies static private_ranges
# client_ip_headers X-Forwarded-For X-Real-IP
# # client_ip_headers CF-Connecting-IP X-Forwarded-For X-Real-IP
# # If using Cloudflare proxy, insert CF-Connecting-IP as first priority
# # since Cloudflare doesnt prevent X-Forwarded-For spoofing.
# }
# }
# (admin_redir) { # (admin_redir) {
# @admin { # @admin {
# path /admin* # path /admin*
@@ -81,7 +90,8 @@ If you prefer, you can also directly specify a value instead of substituting an
# @not_allowed_admin { # @not_allowed_admin {
# path /admin* # path /admin*
# Trusted IPs one and two # Trusted IPs one and two
# not remote_ip forwarded xx.xx.xx.xx/32 xx.xx.xx.xx/32 # not client_ip xx.xx.xx.xx/32 xx.xx.xx.xx/32
# # remote_ips forwarded mode is deprecated; client_ip matcher with global options client_ip_headers and trusted_proxies
# } # }
# respond @not_allowed_admin "401 - {http.request.header.Cf-Connecting-Ip} is not an allowed IP." 401 # respond @not_allowed_admin "401 - {http.request.header.Cf-Connecting-Ip} is not an allowed IP." 401
@@ -94,6 +104,7 @@ If you prefer, you can also directly specify a value instead of substituting an
# log, so that fail2ban can ban the correct IP. # log, so that fail2ban can ban the correct IP.
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
# If you use Cloudflare proxying, replace remote_host with http.request.header.Cf-Connecting-Ip # If you use Cloudflare proxying, replace remote_host with http.request.header.Cf-Connecting-Ip
# Not necessary if using global options 'client_ip_headers CF-Connecting-IP'
# See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/ # See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/
# and https://caddy.community/t/forward-auth-copy-headers-value-not-replaced/16998/4 # and https://caddy.community/t/forward-auth-copy-headers-value-not-replaced/16998/4
} }