Caddy as reverse proxy returns Docker net IP

[jaywire]

I have placed docker-ddns behind a Caddy reverse proxy, but it appears any requests are showing from the docker container IP. Examples:

ddns-sweet | 2019/12/23 20:04:39 A record update request: bar -> 172.18.0.3 caddy-gen | caddy.1 | <public_ip> - - [23/Dec/2019:20:04:39 +0000] "GET /update?secret=<secret_key>&domain=bar&addr= HTTP/2.0" 200 144

I'm not sure exactly how to pass the correct public IP through Caddy to docker-ddns. It seems Caddy is seeing the correct IP, but the actualy GET is coming into docker-ddns from Caddy, so this is the IP it's taking.

[jaywire]

Seems I'm having the same issue with LetsEncrypt and Traefik. From what I can tell, the request handler is using "r.RemoteAddr" which is not looking at the actual forwarded headers. It should look for X-Forwarded-For

This makes it kind of difficult to run behind a reverse proxy, unless I'm missing something here. There do seem to be a few methods for accomplishing this with Go.

[dstapp]

I'm running docker-ddns behind Caddy as well, there's nothing special:

asd {
    header / {
      Strict-Transport-Security "max-age=31536000;"
      Referrer-Policy "strict-origin-when-cross-origin"
      X-Content-Type-Options "nosniff"
      X-Frame-Options "DENY"
      X-XSS-Protection "1; mode=block"
      -Server
    }

	proxy / ddns:8080 {
		transparent
	}
}

Since docker-ddns does not use the REMOTE_ADDR request header but you have to pass you address manually (see the &addr= part in your example that is empty in your case), it does not matter what docker-ddns sees as origin IP address. Just send alongside your IP address and it will work.

Hope this helps.

I don't know why in your case it takes the Docker network's IP address when the addr query param is empty but I didn't work with the code base for a longer time and I'm short in time so I cannot check right now.

[jaywire]

Thanks for your reply! I do understand that the IP can be defined in the request manually, it does read the IP if you leave the addr= empty. If I run this without a reverse proxy, it works fine. Similar issue here:

#33

After some research into this, it seems that RemoteAddr only looks at the "last hop", which is going to be whatever the docker net IP of Caddy is.

https://husobee.github.io/golang/ip-address/2015/12/17/remote-ip-go.html

It does appear that "request_handler.go" is using RemoteAddr on line 56:

ip, _, err := net.SplitHostPort(r.RemoteAddr)

75dde3a

I'm using this to manage a number of edge computing devices as part of a larger project, so the ability to remotely detect and update the A record for each FQDN is fantastic. I could request the IP a dozen other ways and simply add it to the curl, but that's no fun. :)

I may sit down this weekend and brush up on some Go. If I something put together to read the "X-Forwarded-For", "X-Real-Ip" headers I'll submit a PR.

[sgyurko]

This does not need any code change. You can just pass the value in the right place on your reverse proxy.
I'm not familiar with Caddy, but on Apache you'd do:

RewriteRule /update /update?addr=%{CONN_REMOTE_IP} [QSA,P]

The idea is that you can take out the header you are interested in at the proxy level and append it to the query string.