Add instructions for restoring original visitor IPs when using Caddy

cloudflare · Jan 3, 2025 · 2b5269e · 2b5269e
1 parent 943f8fc
commit 2b5269e
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/...upport/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips.mdx b/...upport/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips.mdx
@@ -454,6 +454,42 @@ clientIPDetection:
 
 For more details, refer to [Custom header original IP detection extension](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto).
 
+### Caddy
+
+If you are running an application behind [Caddy](https://caddyserver.com/) that relies on the `X-Forwarded-For` header, you can configure Caddy to override the header with Cloudflare's [CF-Connecting-IP header](https://developers.cloudflare.com/fundamentals/reference/http-request-headers/#cf-connecting-ip).
+
+It is advised that you also only accept traffic from [Cloudflare's IP addresses](https://www.cloudflare.com/ips/); otherwise, the header could be spoofed. That's why, in the second example, we handle this as part of the Caddy configuration. Alternatively, you can handle this at the firewall level, which is usually easier to automate. If you already have a firewall or other measure in place to ensure this, your Caddyfile could look like this:
+```txt title="Caddyfile"
+https://example.com {
+    reverse_proxy localhost:8080 {
+				# Sets X-Forwarded-For as the value Cloudflare gives us for CF-Connecting-IP.
+				header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
+		}
+}
+```
+
+If you want Caddy to handle only accepting traffic from [Cloudflare's IP addresses](https://www.cloudflare.com/ips/), you can use a configuration like this one:
+```txt title="Caddyfile"
+https://example.com {
+    # Restrict access to Cloudflare IPs (https://www.cloudflare.com/ips/)
+    @cloudflare {
+        remote_ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/22 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 172.64.0.0/13 131.0.72.0/22 104.18.0.0/15 104.17.0.0/16
+    }
+
+    # Process requests from Cloudflare IPs
+    handle @cloudflare {
+        reverse_proxy localhost:8080 {
+            # Sets X-Forwarded-For as the value Cloudflare gives us for CF-Connecting-IP.
+            header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
+        }
+    }
+
+    # Deny requests from non-Cloudflare IPs
+    handle {
+        respond "Access Denied" 403
+    }
+}
+```
 ---
 
 ## Related Resources