Skip to content
Real-IP middleware for caddy
Branch: master
Clone or download
sporkmonger and captncraig Need to account for whitespace (#11)
* Need to account for whitespace

* Switch back to strings package and use Trim instead of regexp
Latest commit 5dd1f40 Sep 18, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Create LICENSE Sep 18, 2017 Added presets support for `gcp` and `rackspace`. May 3, 2017
module.go Need to account for whitespace (#11) Sep 18, 2017
realip_test.go Added presets support for `gcp` and `rackspace`. May 3, 2017
setup.go Added presets support for `gcp` and `rackspace`. May 3, 2017

Real-IP middleware for Caddy

Middleware for restoring real ip information when running caddy behind a proxy. Will allow other middlewares to simply use r.RemoteAddr instead of decoding X-Forwarded-For themselves. Analogous to nginx's realip_module

Checks whitelist of authorized proxy servers so we don't arbitrarily trust headers from anybody.

The real IP module is useful in situations where you are running caddy behind a proxy server. In these situations, the actual client IP will be stored in an HTTP header, usually X-Forwarded-For. The problem this creates is that other directives that rely on the client IP address, like ipfilter or git, will not always work properly in these scenarios.

This middleware will seamlessly and securely read the real IP address from the appropriate header and replace the proxied IP in the request with the real one. The new IP wil lbe used in Caddy's log files and with other plugins.


realip [cidr] {
    header name
    from   cidr [cidr... ]

name is the name of the header containing the actual IP address. Default is X-Forwarded-For.

cidr is the address range of expected proxy servers. As a security measure, IP headers are only accepted from known proxy servers. Must be a valid cidr block notation. This may be specified multiple times.

strict, if specified, will reject requests from unkown proxy IPs with a 403 status. If not specified, it will simply leave the original IP in place.

CIDR blocks

CIDR is a standard notation for specifying IP ranges. To allow a single IP, use /32 after the ip to specify no mask: To allow all IPs (and accept an X-Forwarded-For header from anybody), use Most cloud services should have their ip ranges published in this format somewhere.


realip {


There is a few helpers supplied if you want to use Caddy behind cloud services. Simply specify the caddy snippet below in your caddyfile to activate it using a built-in IP list.

Provider Alias Caddyfile Snippet
Cloudflare cloudflare realip cloudflare
Google Cloud Platform gcp realip gcp
Rackspace Cloud rackspace realip rackspace

Additional presets would be welcome by pull request for other cloud providers.


Simple usage to read X-Forwarded-For from a few known IPs only:

realip {

Simple usage of preset and IP:

realip cloudflare


realip cloudflare {


realip {
    from cloudflare
You can’t perform that action at this time.