-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
caddyhttp: Add server-level trusted_proxies
config
#5103
Conversation
1038137
to
ac1cb56
Compare
ac1cb56
to
7628d2d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks - overall this LGTM, just a question about implementation. I still want to review this one more time before merging, even if no more changes are made. Not sure if it'll go into 2.6.2 or 2.6.3.
I'll get back to this soon. My priorities had been elsewhere for the past while. |
7628d2d
to
f0fbc85
Compare
Alright, this is ready for another round of review. I'm pretty happy with this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking great!
My only request is, can we use the existing Vars context value instead of creating a new one? Each time we create a new one, it makes writing mocks a little more tedious and error-prone.
We are. That's where vars is first initialized 🤔 but maybe I don't understand what you mean. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wow you're right. I'm blind. LGTM! Thank you :)
f0fbc85
to
470c728
Compare
Partial work for #4924 as per my plan in #4924 (comment)
We've had requests for defining
trusted_proxies
globally, so it doesn't need to be configured for eachreverse_proxy
. This does that.But also, this opens the door for more places we can use trusted proxies, such as in #4924 which asks for getting the real client IP. We can do that by looking at the XFF header if the proxy is trusted. That part isn't done in this PR, edit: this is in #5104!
Also we might want to change how
remote_ip forwarded
works, possibly making it not trust forwarded by default (which would be a breaking change... but eh, it's known to be insecure right now).And maybe we should addSee #5104 for the logs part.client_ip
to the logs.