feat(caddy): add standard forwarding headers to every reverse_proxy
Every generated reverse_proxy block now emits header_up for X-Forwarded-Proto, X-Real-IP and Host. Caddy already sets the X-Forwarded-* family and Host by default; this makes them explicit and adds X-Real-IP (nginx convention) for backends that expect it. The https:// transport block is preserved alongside the headers.
This commit is contained in:
Brückner
12
server.ts
12
server.ts
@ -82,17 +82,21 @@ function buildCaddyfile(): string {
|
||||
lines.push(`${route.hostname} {`);
|
||||
if (route.compress) lines.push(' encode zstd gzip');
|
||||
if (route.tls) lines.push(' tls internal');
|
||||
lines.push(` reverse_proxy ${route.upstream} {`);
|
||||
// Standard forwarding headers for every backend. Caddy already sets the
|
||||
// X-Forwarded-* family and the Host header by default; these make them
|
||||
// explicit and add X-Real-IP (nginx convention) for backends that expect it.
|
||||
lines.push(' header_up X-Forwarded-Proto {scheme}');
|
||||
lines.push(' header_up X-Real-IP {remote_host}');
|
||||
lines.push(' header_up Host {host}');
|
||||
if (/^https:\/\//i.test(route.upstream)) {
|
||||
// HTTPS upstream (e.g. Semaphore) — connect over TLS and skip certificate
|
||||
// verification, since such backends typically use a self-signed cert.
|
||||
lines.push(` reverse_proxy ${route.upstream} {`);
|
||||
lines.push(' transport http {');
|
||||
lines.push(' tls_insecure_skip_verify');
|
||||
lines.push(' }');
|
||||
lines.push(' }');
|
||||
} else {
|
||||
lines.push(` reverse_proxy ${route.upstream}`);
|
||||
}
|
||||
lines.push(' }');
|
||||
lines.push('}', '');
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user