Feature request for a plugin
Cloudflare offers free reverse proxying, hiding the web servers IP and filtering some kind of attacks. When using Cloudflares reverse proxy feature, it's a best practice to block requests that do not originate from the Cloudflare network. Cloudflare lists their reverse proxy IPs here https://www.cloudflare.com/ips-v4 and here https://www.cloudflare.com/ips-v6 .
Main feature: Block requests originating outside of the CloudFlare network
Bonus feature: Override the remote-addr header with the CloudFlare one (analog to nginx "real_ip" directive)
tobiasmuehl
All 4 comments
You can do both of those things without a plugin!
Caddy v2 has a remote_ip matcher which takes a cidr or IP. You can combine it with the respond directive to return an error on a request from outside those IPs.
Caddy also automatically sets the X-Forwarded -For header when using the reverse_proxy directive. Outside of that, you can use the request_header directive if you're serving templated static content that needs the remote IP.
Does this answer your question? I'm unsure what else you would need it to do.
francislavoie
on 27 Apr 2020
Hm, yeah, I don't think a plugin is needed for this. I agree that you can do this already!
Thanks for using Caddy -- please join our forums to continue this discussion!
mholt
on 27 Apr 2020
You can do both of those things without a plugin!
Caddy v2 has a
remote_ipmatcher which takes a cidr or IP. You can combine it with theresponddirective to return an error on a request from outside those IPs.Caddy also automatically sets the X-Forwarded -For header when using the
reverse_proxydirective. Outside of that, you can use therequest_headerdirective if you're serving templated static content that needs the remote IP.Does this answer your question? I'm unsure what else you would need it to do.
I just migrated my caddy v1:
realip cloudflare {
strict
}
to v2 and had to do this:
request_headers -X-Forwarded-For
@notcloudflare_ips {
not remote_ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 172.64.0.0/13 131.0.72.0/22 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32
}
respond @notcloudflare_ips 403
remote_ip filters by _X-Forwarded-For_ client while realip checks that the _http.RemoteAddr_ matches any IP/range in the list (403 if strict checking is enabled) and then goes on to set a different value for _http.RemoteAddr_ based on the _X-Forwarded-For_ header.
It would be great if users could tune what remote_ip matches on without tinkering with the request headers. WDYT?
Thanks!
gonzalop
on 1 Nov 2020
@gonzalop turns out someone just ported the realip plugin to v2 yesterday 馃槄
https://caddy.community/t/remoteaddr-and-caddy-v2-help-needed/10317/9
francislavoie
on 1 Nov 2020
Related issues
ericmdantas
路
3Comments
mschneider82
路
3Comments
mikolysz
路
3Comments
PhilmacFLy
路
3Comments
jgsqware
路
3Comments
Most helpful comment
@gonzalop turns out someone just ported the realip plugin to v2 yesterday 馃槄
https://caddy.community/t/remoteaddr-and-caddy-v2-help-needed/10317/9