Configure trusted proxies to preserve the forwarded IP

pimterry · pimterry · commit 5c4e05e6a59d · 2023-05-02T17:16:16.000+01:00
Without this, Scaleway's Envoy passes X-Forwarded-For through, telling
us who the original client is, but then then Caddy refuses to trust
them, and so every request comes from 127.0.0.1.
diff --git a/Caddyfile b/Caddyfile
@@ -1,3 +1,12 @@
+{
+	servers {
+        # We trust (configurably) X-Forwarded-For headers from traffic that's proxied through
+        # localhost, e.g. through SCW's Envoy container proxy. Without this all traffic appears
+        # to come directly from localhost, ignoring the data Envoy passes through.
+		trusted_proxies static {$TRUSTED_PROXIES:127.0.0.1}
+	}
+}
+
 # We use the domain name (via Host header) to decide which upstream service we
 # should forward the traffic to:
 {$EVENTS_DOMAIN:events.httptoolkit.tech} {
diff --git a/Dockerfile b/Dockerfile
@@ -1,3 +1,3 @@
-FROM caddy:2.6.1-alpine
+FROM caddy:2.6.4-alpine
 
 COPY ./Caddyfile /etc/caddy/Caddyfile

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`		`-FROM caddy:2.6.1-alpine`
	`1`	`+FROM caddy:2.6.4-alpine`
`2`	`2`
`3`	`3`	`COPY ./Caddyfile /etc/caddy/Caddyfile`