-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to prevent caddy from automatically adding X-Forwarded-For header? #3976
Comments
I tried
But that doesn't work. |
Nginx works on localhost:8080 but it's unlikely to modify X-Forwarded-For itself. My PHP test code: <?php
echo nl2br('Remote Addr: ' . $_SERVER['REMOTE_ADDR'] . "\n");
echo nl2br('X-Real-IP: ' . $_SERVER['HTTP_X_REAL_IP'] . "\n");
echo nl2br('X-Forwarded-For: ' . $_SERVER['HTTP_X_FORWARDED_FOR'] . "\n");
?> |
Test steps:
My goal: |
I think this happens because X-Forwarded-For has already been manipulated before user-configured header manipulations are applied. This is important so that deleting headers can be done successfully, if desired... |
can I ask why you want to remove that header? |
MediaWiki was confused by X-Forwarded-For header but now it seems to work properly. Removing this header is not needed anymore. |
Did you find a way to remove X-Forwarded-For header ? |
@kbourro Why do you need it removed? Good Proxies ™️ generally set it. |
@mholt (I'm running into this too) but bad apps don't process it right or worse trust it implicitly. I frequently use Caddy (or previously Nginx) in front of apps that don't handle auth/forwarded-for headers as I want. @kbourro I've had success with overriding it like so: |
What do you mean? You should probably be filing a bug report with that app, then. Or stop using that app. Or patch it if possible.
Well in that case you'll be glad to see that Caddy v2.5.0 doesn't implicitly trust incoming values for those headers. See the release notes.
Please be more specific. In what way does it not handle it as you want? All that said, you can remove the header like this:
|
I've got no control of some of the apps that I need to deploy, so I use a reverse proxy to handle auth/routing/header manipulation when I can't choose/fix the app. I did figure this out using the |
So at the end... Can we finally force remove the x-forwarded-for header and the like? At my startup we are calling an API from a provider which is secured by them with an IP-restriction rule, among other mechanisms. So I need to give them a static IP. At the office we have dynamic IP. So in AWS I set a caddy to proxy the requests for that API so they come from an elastic-IP we have registered as "the IP" with the provider. Nevertheles at our startup we are inclined to implement zero-trust, so we treat the provider's API as an untrusted App. So, to reduce our attack-surface, in aims to limiting the exposure of what's the current IP of the office, which is not needed for the API call, we want to remove it from the x-forwarded-for header. |
Your answer on SO is not accurate. Francis has already mentioned you can drop the header by using:
|
Humm... I'm trying to do it from the command line and I get an error:
Can this "drop header" be done from the command line? |
This is not currently possible via the command-line. You'll have to use the Caddyfile for such advanced operations. |
btw the upper reverse-proxy (which accepts clients and sets XFF) has a dynamic IP behind NAT, so it is a bit hard to set |
Quote from https://caddy.community/t/v2-reverse-proxy-transparent/6480/3:
It also adds X-Forwarded-For automatically.
But I don't want caddy to add X-Forwarded-For header, I want it to pass it through as-is. How can I achieve that?
The text was updated successfully, but these errors were encountered: