Unable to pass real IP to Gitea using Caddy

[hwcltjn]

Description

I seem completely unable to pass an incoming user's real IP (X-Real-IP or X-Forwarded-For) to Gitea when using Caddy as a reverse proxy.

In both the failed login and access logs, Gitea is showing Caddy's IP address.

Caddy version - 2.6.2

My app.ini file contains:

REVERSE_PROXY_LIMIT = 1 #(tried 2, too)
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8, 10.200.20.100/24

Under REVERSE_PROXY_TRUSTED_PROXIES I have tried:

• Just *
• 10.200.20.0/24
• 10.200.20.100/32

CaddyFile contains:

https://git.mydomain.com {
  reverse_proxy 10.200.20.125:3000 {
    header_up X-Real-IP {remote_host}
    header_up X-Forwarded-For {remote_host}
  }
}

Other applications behind the same Caddy installation do not have this problem and are correctly picking up both X-Real-IP or X-Forwarded-For.

Using the PHP snippet below (with completely vanilla NGINX+PHP), I was able to double check that Caddy is in fact passing the correct headers:

<?php
echo $_SERVER['HTTP_X_FORWARDED_FOR'];
echo "<br>";
echo $_SERVER['HTTP_X_REAL_IP'];
?>

---

I initially attempted the above with CloudFlare in front of Caddy with no luck and posted my issue on the forum - here.
I'm now attempting it without CloudFlare in front of Caddy.

Gitea Version

1.18.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Debian 11

How are you running Gitea?

Binary + systemd

Database

MySQL

[zeripath]

In which ini section have you put the REVERSE_PROXY_TRUSTED_PROXIES setting in? It needs to be within [security]

The IPs listed there need to contain the IP address of the proxy as it appears on the request from the proxy.

Are there any logs?

[hwcltjn]

Oh @zeripath , I'm an idiot.
I had them under [server] - I can't believe that's what it was 🤦‍♂️

Thank you!

[techknowlogick]

@hwcltjn not at all. Sometimes we all need a rubber duck ❤️