7 months ago
So I just took mostly the config from the Caddy Reverse Proxy Railway template and I inserted the following block into servers, namely the trusted proxies:
servers {
trusted_proxies static private_ranges # trust railway's proxy
trusted_proxies_strict
}
And as we can see from the access logs it shows a wrong client-ip:
request:{
client_ip:"100.64.0.2"
headers:{⋯}
method:"GET"
proto:"HTTP/1.1"
remote_ip:"100.64.0.2"
remote_port:"11552"
uri:"/admin"
As we can see, it does not detect Railways proxy as requests seem to be coming from 100.64.x.x. Sometimes 100.64.0.2, 100.64.0.3 and sometimes 100.64.0.4.
Now Caddy needs to trust the proxy it is behind in order to correctly pass on the client ip. I'm using this to whitelist ip's and to identify user session ip's in Keycloak.
So I went ahead and tested whitelisting this ip range:
servers {
trusted_proxies static private_ranges 100.64.0.0/10 # trust railway's proxy
trusted_proxies_strict
}
Now it works and Caddy correctly passes on the client ip headers. I will refrain from showing the logs in order to avoid leaking any ips.
My question is, is this indeed the ip of caddy's proxy and will this change in the future?
3 Replies
7 months ago
Hello,
That's not the IP of the Caddy proxy, that's the IP of our proxy, and yes there is some possibly that it will change, it hasn't always been a 100.x range.
Though, if you're running your app on Railway, you will always be running your app behind a trusted proxy, so you could trust 0.0.0.0/0 all the same for some future proofing.
Status changed to Awaiting User Response railway[bot] • 7 months ago
7 months ago
Hi, thanks for the swift response!
I see, thanks! I have updated my servers block to the following:
servers {
trusted_proxies static 0.0.0.0/0 ::/0
}
And now it works, thanks!
Status changed to Awaiting Railway Response railway[bot] • 7 months ago
Status changed to Awaiting User Response railway[bot] • 7 months ago
Status changed to Solved brody • 7 months ago