Preserving IP after Caddy reverse proxy

Website, Application, Performance
1

What is the name of the domain?

example.com

What is the issue you’re encountering

WAF and Analytics show all traffic is coming from reverse proxy IP

What steps have you taken to resolve the issue?

I have Caddy running as a reverse proxy on a VM so users can set custom domains. This then routes through Cloudflare to the app server and while this all works fine, I can’t use Cloudflare Analytics and WAF rules/rate limiting because all of the traffic (according to Cloudflare) is coming from the same IP address (the reverse proxy).

Is there any way to get Cloudflare to use the X-Forwarded-For header to preserve the original client IP? Here’s my Caddy setup:

reverse_proxy https://example.com {
    header_up Host {upstream_hostport}
    header_up True-Client-IP {remote_host}
    header_up X-Forwarded-For {remote_host}
    header_up X-Real-IP {remote_host}
    header_up X-Forwarded-Proto {scheme}
}
2

No, as that header is trivially forged which would allow bypassing of any Cloudflare rules.

Have a look at Cloudflare for SaaS to handle custom domains for your application so you don’t need a proxy in front of the Cloudflare proxy…

1 Like
3

Hmmm, are there any ways that I can prove that the reverse proxy is trusted to Cloudflare? Maybe a tunnel.

The Cloudflare for SaaS is a bit too expensive for my use-case ($0.10 per custom domain).

4

Not in place of the real IP address, no.

5

This topic was automatically closed after 15 days. New replies are no longer allowed.