Skip to content

caddyhttp: Add trusted_proxies_unix for trusting unix socket X-Forwarded-* headers #7265

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

caddyhttp: Add trusted_proxies_unix for trusting unix socket X-Forwarded-* headers #7265

wants to merge 2 commits into from
+119 −0

Conversation

cseufert
Copy link

Added a new server configuration option trusted_proxies_unix to support trusting connections to a bind unix://path.sock. This also works with strict mode enabled trusted_proxies_strict.

This allows for seamless setup of (tcp:443) -> caddy -> (unix socket) -> caddy -> php_fastcgi to have the correct remote address available.

Fixes #7263

Assistance Disclosure

"Copilot provided tab completion for code and comments."

@CLAassistant
Copy link

CLAassistant commented Sep 17, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@francislavoie
Copy link
Member

Thanks!

Let's make it a boolean instead of int, the reason strict is an int is because it's meant to have the dual purpose (eventually) to mean the N-th IP (iirc) from the right of the XFF header.

Also please add a Caddyfile adapt test (look for .caddyfiletest files)

@cseufert
Copy link
Author

Thanks!

Let's make it a boolean instead of int, the reason strict is an int is because it's meant to have the dual purpose (eventually) to mean the N-th IP (iirc) from the right of the XFF header.

Also please add a Caddyfile adapt test (look for .caddyfiletest files)

Makes sense, created a .caddyfiletest and changed to bool. Let me know if i need more for the adapt side. Also I have no clue what is actually failing on the last CI build on Mac OS

@cseufert
Copy link
Author

@francislavoie is this likely to get merged, or should I open a PR for a different approach?

@francislavoie
Copy link
Member

Yes sorry, it will be merged soon. It fell off my radar.

@cseufert @francislavoie
Support for trusting unix socket X-Forwarded-* headers
124beff 
Added a new server configuration option `trusted_proxies_unix` to support trusting connections to a `bind unix://path.sock`. This also works with strict mode enabled `trusted_proxies_strict`.

This allows for seamless setup of `(tcp:443) -> caddy -> (unix socket) -> caddy -> php_fastcgi` to have the correct remote address available.

Fixes caddyserver#7263
@cseufert @francislavoie
Refactored trusted_proxies_unix to boolean
998747a 
Added .caddyfiletest case for trusted_proxies_unix
@francislavoie francislavoie added this to the v2.11.0 milestone Sep 29, 2025
@francislavoie francislavoie changed the title Support for trusting unix socket X-Forwarded-* headers caddyhttp: Add trusted_proxies_unix for trusting unix socket X-Forwarded-* headers Sep 29, 2025
@francislavoie francislavoie modified the milestones: v2.11.0, v2.10.3 Sep 29, 2025
@francislavoie francislavoie enabled auto-merge (squash) September 29, 2025 11:34
@francislavoie francislavoie added the feature ⚙️ New feature or request label Sep 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature ⚙️ New feature or request

Projects

None yet

Milestone

v2.10.3

Development

Successfully merging this pull request may close these issues.

Option to enable trusted_proxies for unix socket files

3 participants

@cseufert @CLAassistant @francislavoie