So after I updated my caddy version to 2.5 I noticed there is a bug currently in all 2.5.x releases (2.5.0, 2.5.1 and latest).
It seems that whenever you put the caddy webserver in front of a proxy such as Cloudflare, the HTTP_X_FORWARDED_PROTO header and some others are always set to http, even though it originated from https. When I downgrade back to Caddy 2.4.6 it starts working fine again and the HTTP_X_FORWARDED_PROTO header is properly set to https when coming from Cloudflare proxy.
This is a big issue, since it becomes impossible to determine what the forwarded http scheme was etc.
You can replicate this issue locally by using the lucaslorentz/caddy-docker-proxy image. It behaves the same as when put behind proxies like Cloudflare.
Here is the Caddyfile I am using (notice I am only handling http in Caddy, since the SSL termination happens at the proxy):
{
# Debug
{$DEBUG}
# HTTP/3 support
servers {
protocol {
experimental_http3
}
}
}
:80
log
route {
root * /srv/app/public
mercure {
# Transport to use (default to Bolt)
transport_url {$MERCURE_TRANSPORT_URL:bolt:///data/mercure.db}
# Publisher JWT key
publisher_jwt {env.MERCURE_PUBLISHER_JWT_KEY} {env.MERCURE_PUBLISHER_JWT_ALG}
# Subscriber JWT key
subscriber_jwt {env.MERCURE_SUBSCRIBER_JWT_KEY} {env.MERCURE_SUBSCRIBER_JWT_ALG}
# Allow anonymous subscribers (double-check that it's what you want)
anonymous
# Enable the subscription API (double-check that it's what you want)
subscriptions
# Extra directives
{$MERCURE_EXTRA_DIRECTIVES}
}
vulcain
push
php_fastcgi {env.PHPFPM_HOST}:9000
encode zstd gzip
file_server
}
That's not a bug. See the release notes, you need to configure trusted_proxies. That applies to php_fastcgi as well which is a shortcut for reverse_proxy with a fastcgi transport.
So after I updated my caddy version to
2.5
I noticed there is a bug currently in all2.5.x
releases (2.5.0
,2.5.1
andlatest
).It seems that whenever you put the caddy webserver in front of a proxy such as Cloudflare, the
HTTP_X_FORWARDED_PROTO
header and some others are always set tohttp
, even though it originated fromhttps
. When I downgrade back to Caddy2.4.6
it starts working fine again and theHTTP_X_FORWARDED_PROTO
header is properly set tohttps
when coming from Cloudflare proxy.This is a big issue, since it becomes impossible to determine what the forwarded http scheme was etc.
Here is the
Caddyfile
I am using (notice I am only handling http in Caddy, since the SSL termination happens at the proxy):