Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot not handle X-Forwarded-For properly #153

Open
gili-gili opened this issue Nov 3, 2023 · 1 comment
Open

Cannot not handle X-Forwarded-For properly #153

gili-gili opened this issue Nov 3, 2023 · 1 comment

Comments

@gili-gili
Copy link

Using caddy as reverse proxy and Cloudflare as CDN service.
Cannot read client real IP with header X-Forwarded-For
Part of caddy configuration:

            {
              "match": [
                {
                  "host": ["example.com"]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "match": [
                        {
                          "path": ["/dns-query"]
                        }
                      ],
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "request": {
                              "set": {
                                "X-Forwarded-For": ["{http.request.header.CF-Connecting-IP}"]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "127.0.0.1:8053"
                            }
                          ]
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "handler": "file_server",
                          "root": "/path/to/caddy"
                        }
                      ],
                      "terminal": true
                    }
                  ]
                }
              ]
            }

If I replace X-Forwarded-For with X-Real-IP, then the server is able to read client real IP. I don't know if this is caused by caddy or dns-over-https.
@m13253
Copy link
Owner

m13253 commented Nov 3, 2023

Doh-server is programmed to require the client IP to be a globally routable IP. (In other words, if your server is in the same private network with your client, doh-server may see something like 192.168.114.191 and decide to ignore that, since it cannot help with GeoDNS.)

Can you check whether the submitted X-Forwarded-For IP is a globally routable one?

If there are multiple X-Forwarded-For IPs, doh-server deletes any non-global IPs and then chooses the farthest one on the proxy chain for GeoDNS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@m13253 @gili-gili