Caddy deprecated remote_ip's forwarded mode, in favor of client_ip_headers paired with trusted_proxies. Allows configuring which headers to use to determine the client's IP address.

2026-01-16 20:50:33 +00:00 · 2025-08-03 23:07:36 -05:00
parent 8d0449a554
commit a1e1c8c34b
1 changed files with 12 additions and 1 deletions
--- a/Proxy-examples.md
+++ b/Proxy-examples.md
@@ -24,6 +24,15 @@ If you prefer, you can also directly specify a value instead of substituting an
 ```Caddy

 # Uncomment this in addition with the import admin_redir statement allow access to the admin interface only from local networks
+# {
+#        servers {
+#                trusted_proxies static private_ranges
+#                client_ip_headers X-Forwarded-For X-Real-IP
+#                # client_ip_headers CF-Connecting-IP X-Forwarded-For X-Real-IP
+#                # If using Cloudflare proxy, insert CF-Connecting-IP as first priority
+#                # since Cloudflare doesn’t prevent X-Forwarded-For spoofing.
+#        }
+# }
 # (admin_redir) {
 #        @admin {
 #                path /admin*
@@ -81,7 +90,8 @@ If you prefer, you can also directly specify a value instead of substituting an
  # @not_allowed_admin {
  #     path /admin*
  #     Trusted IPs one and two
-  #     not remote_ip forwarded xx.xx.xx.xx/32 xx.xx.xx.xx/32
+  #     not client_ip xx.xx.xx.xx/32 xx.xx.xx.xx/32
+  #     # remote_ip’s forwarded mode is deprecated; client_ip matcher with global options client_ip_headers and trusted_proxies
  # }

  # respond @not_allowed_admin "401 - {http.request.header.Cf-Connecting-Ip} is not an allowed IP." 401
@@ -94,6 +104,7 @@ If you prefer, you can also directly specify a value instead of substituting an
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
       # If you use Cloudflare proxying, replace remote_host with http.request.header.Cf-Connecting-Ip
+       # Not necessary if using global options 'client_ip_headers CF-Connecting-IP'
       # See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/
       # and https://caddy.community/t/forward-auth-copy-headers-value-not-replaced/16998/4
  }