Unable to pass real IP to Gitea behind CF and Caddy

Install/Maintain/Configure

tafa2 January 22, 2023, 3:28pm 1

I cannot seem to pass a user’s real IP to Gitea when behind CloudFlare and Caddy and have tried everything I can think of.

CaddyFile looks like:

https://git.mydomain.com {
  reverse_proxy 10.200.20.125:3000 {
    header_up X-Real-IP {remote_host}
    header_up X-Forwarded-For {remote_host}
    # Also tried the below
    # header_up X-Real-IP {http.request.header.CF-Connecting-IP}
    # header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
  }
}

Gitea’s app.ini looks like:

REVERSE_PROXY_LIMIT = 1 #(tried 2, too)
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8, 10.200.20.100/24

I’ve tried including CF’s IPs in the trusted proxy list and *, and increasing the proxy limit to 2.

Caddy logs show it is correctly picking up the real IP, Gitea just sees Caddy’s local IP.

Any help would be greatly appreciated.

tiny6996 January 22, 2023, 8:06pm 2

Try using remote instead of remote_host in the caddyfile like this

header_up X-Real-IP {remote}
header_up X-Forwarded-For {remote}

I am not sure if it matters but maybe setting the trusted proxy to 10.200.20.0/24 will help too

jake January 22, 2023, 8:10pm 3

I think your Gitea configuration is correct, REVERSE_PROXY_LIMIT should probably be set to 2 though.

It looks like your Caddy configuration has two issues though. Caddy manages all the X-Forwarded-For, X-Forwarded-Proto, etc. for you by default so you shouldn’t set those. X-Real-IP is not set by default in Caddy but may cause issues with using two chained reverse proxies in Gitea, I am not sure though (haven’t tried it). Another issue is that Caddy will not trust CloudFlare and ignore its X-Forwarded-For because it is not in Caddy’s trusted_proxies (see reverse_proxy (Caddyfile directive) — Caddy Documentation)

tafa2 January 23, 2023, 12:38am 4

Change to {remote} didn’t work.

tafa2 January 23, 2023, 12:45am 5

Thanks for pointing out the trusted_proxies setting.

I added it and confirmed that caddy is correctly passing X-Forwarded-For and showing the real IP (by testing it against PHP and specifically calling on HTTP_X_FORWARDED_FOR).

Unfortunately, Gitea just will not pick up the real IP - or even the CF proxy IP for that matter.
The failed login logs keep showing Caddy’s local address.

Even with REVERSE_PROXY_TRUSTED_PROXIES = * it doesn’t work.

jake January 23, 2023, 5:55pm 6

Can you check X-Real-IP header value in PHP? The relevant code in Gitea checks that header first and only use X-Forwarded-For if X-Real-IP does not exist:

func realIP(r *http.Request, options *ForwardedHeadersOptions) string {
	host, _, err := net.SplitHostPort(r.RemoteAddr)
	if err != nil {
		return ""
	}

	if !options.isTrustedProxy(net.ParseIP(host)) {
		return ""
	}

	var ip string

	if xrip := r.Header.Get(xRealIP); xrip != "" {
		ip = xrip
	} else if xff := r.Header.Get(xForwardedFor); xff != "" {
		...
		ip = xff[p:]
	}

	return ip
}

(link to source code)

1 Like

tafa2 January 23, 2023, 6:23pm 7

Using the PHP (on vanilla PHP+NGINX) snippet below confirms that both X-Real-IP and X-Forwarded-For are being passed correctly and accurately by Caddy.

<?php
echo $_SERVER['HTTP_X_FORWARDED_FOR'];
echo "<br>";
echo $_SERVER['HTTP_X_REAL_IP'];
?>

In CaddyFile:

header_up X-Real-IP {http.request.header.CF-Connecting-IP}

In app.ini I’ve now tried:

REVERSE_PROXY_LIMIT = 2 # (I've tried, 1, 2, 3)
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8,10.200.20.0/24,173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22

Also, REVERSE_PROXY_TRUSTED_PROXIES = * doesn’t seem to change anything.

tafa2 January 24, 2023, 11:57pm 8

Turns out I had

REVERSE_PROXY_LIMIT = 1 
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8, 10.200.20.100/24

Under [server] in my app.ini instead of under [security]

Everything working as it should!

1 Like