From a1e1c8c34b0c3217e3d699ed41c672fde7d57a5d Mon Sep 17 00:00:00 2001
From: tsanga13 <95390502+tsanga13@users.noreply.github.com>
Date: Sun, 3 Aug 2025 23:07:36 -0500
Subject: [PATCH] Caddy deprecated remote_ip's forwarded mode, in favor of
 client_ip_headers paired with trusted_proxies. Allows configuring which
 headers to use to determine the client's IP address.

---
 Proxy-examples.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/Proxy-examples.md b/Proxy-examples.md
index 1465dc8..24dd8c1 100644
--- a/Proxy-examples.md
+++ b/Proxy-examples.md
@@ -24,6 +24,15 @@ If you prefer, you can also directly specify a value instead of substituting an
 ```Caddy
 
 # Uncomment this in addition with the import admin_redir statement allow access to the admin interface only from local networks
+# {
+#        servers {
+#                trusted_proxies static private_ranges
+#                client_ip_headers X-Forwarded-For X-Real-IP
+#                # client_ip_headers CF-Connecting-IP X-Forwarded-For X-Real-IP
+#                # If using Cloudflare proxy, insert CF-Connecting-IP as first priority
+#                # since Cloudflare doesn’t prevent X-Forwarded-For spoofing.
+#        }
+# }
 # (admin_redir) {
 #        @admin {
 #                path /admin*
@@ -81,7 +90,8 @@ If you prefer, you can also directly specify a value instead of substituting an
   # @not_allowed_admin {
   #     path /admin*
   #     Trusted IPs one and two
-  #     not remote_ip forwarded xx.xx.xx.xx/32 xx.xx.xx.xx/32
+  #     not client_ip xx.xx.xx.xx/32 xx.xx.xx.xx/32
+  #     # remote_ip’s forwarded mode is deprecated; client_ip matcher with global options client_ip_headers and trusted_proxies
   # }
 
   # respond @not_allowed_admin "401 - {http.request.header.Cf-Connecting-Ip} is not an allowed IP." 401
@@ -94,6 +104,7 @@ If you prefer, you can also directly specify a value instead of substituting an
        # log, so that fail2ban can ban the correct IP.
        header_up X-Real-IP {remote_host}
        # If you use Cloudflare proxying, replace remote_host with http.request.header.Cf-Connecting-Ip
+       # Not necessary if using global options 'client_ip_headers CF-Connecting-IP'
        # See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/
        # and https://caddy.community/t/forward-auth-copy-headers-value-not-replaced/16998/4
   }