[BUG] X-Forwarded-Proto header is bugged in version 2.5.x and up

So after I updated my caddy version to 2.5 I noticed there is a bug currently in all 2.5.x releases (2.5.0, 2.5.1 and latest).

It seems that whenever you put the caddy webserver in front of a proxy such as Cloudflare, the HTTP_X_FORWARDED_PROTO header and some others are always set to http, even though it originated from https. When I downgrade back to Caddy 2.4.6 it starts working fine again and the HTTP_X_FORWARDED_PROTO header is properly set to https when coming from Cloudflare proxy.

This is a big issue, since it becomes impossible to determine what the forwarded http scheme was etc.

You can replicate this issue locally by using the lucaslorentz/caddy-docker-proxy image. It behaves the same as when put behind proxies like Cloudflare.

Here is the Caddyfile I am using (notice I am only handling http in Caddy, since the SSL termination happens at the proxy):

{
    # Debug
    {$DEBUG}
    # HTTP/3 support
    servers {
        protocol {
            experimental_http3
        }
    }
}

:80

log

route {
    root * /srv/app/public
    mercure {
        # Transport to use (default to Bolt)
        transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
        # Publisher JWT key
        publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
        # Subscriber JWT key
        subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
        # Allow anonymous subscribers (double-check that it's what you want)
        anonymous
        # Enable the subscription API (double-check that it's what you want)
        subscriptions
        # Extra directives
        {$MERCURE_EXTRA_DIRECTIVES}
    }
    vulcain
    push
    php_fastcgi {env.PHPFPM_HOST}:9000
    encode zstd gzip
    file_server
}

caddyserver / caddy-docker

[BUG] X-Forwarded-Proto header is bugged in version 2.5.x and up #242