jbrueckner/GhostGrid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(caddy): add standard forwarding headers to every reverse_proxy

Browse Source 
Every generated reverse_proxy block now emits header_up for
X-Forwarded-Proto, X-Real-IP and Host. Caddy already sets the X-Forwarded-*
family and Host by default; this makes them explicit and adds X-Real-IP
(nginx convention) for backends that expect it. The https:// transport block
is preserved alongside the headers.
This commit is contained in:
Brückner
2026-06-09 11:39:45 +02:00
parent 1dba721a9a
commit bc677ff805
2 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ARCHITECTURE.md
View File

@ -463,8 +463,12 @@ Manual: POST /api/semaphore/trigger/{bookingId} body { type: 'setup'|'teardown
```
buildCaddyfile():
{ local_certs } # global block
per custom route { [encode] [tls internal] reverse_proxy <upstream> }
upstream prefixed with https:// → reverse_proxy gets a
per custom route { [encode] [tls internal] reverse_proxy <upstream> { … } }
every reverse_proxy block carries standard forwarding headers:
header_up X-Forwarded-Proto {scheme}
header_up X-Real-IP {remote_host}
header_up Host {host}
upstream prefixed with https:// → block also gets a
transport http { tls_insecure_skip_verify } block
(for self-signed TLS backends like Semaphore)

12
server.ts
View File

@ -82,17 +82,21 @@ function buildCaddyfile(): string {
lines.push(`${route.hostname} {`);
if (route.compress) lines.push(' encode zstd gzip');
if (route.tls) lines.push(' tls internal');
lines.push(` reverse_proxy ${route.upstream} {`);
// Standard forwarding headers for every backend. Caddy already sets the
// X-Forwarded-* family and the Host header by default; these make them
// explicit and add X-Real-IP (nginx convention) for backends that expect it.
lines.push(' header_up X-Forwarded-Proto {scheme}');
lines.push(' header_up X-Real-IP {remote_host}');
lines.push(' header_up Host {host}');
if (/^https:\/\//i.test(route.upstream)) {
// HTTPS upstream (e.g. Semaphore) — connect over TLS and skip certificate
// verification, since such backends typically use a self-signed cert.
lines.push(` reverse_proxy ${route.upstream} {`);
lines.push(' transport http {');
lines.push(' tls_insecure_skip_verify');
lines.push(' }');
lines.push(' }');
} else {
lines.push(` reverse_proxy ${route.upstream}`);
}
lines.push(' }');
lines.push('}', '');
}