Unable to pass real IP to Gitea using Caddy #10151

New Issue

GiteaMirror · 2025-11-02T08:59:41-06:00

GiteaMirror commented

2025-11-02 08:59:41 -06:00

Originally created by @hwcltjn on GitHub (Jan 24, 2023).

Description

I seem completely unable to pass an incoming user's real IP (X-Real-IP or X-Forwarded-For) to Gitea when using Caddy as a reverse proxy.

In both the failed login and access logs, Gitea is showing Caddy's IP address.

Caddy version - 2.6.2

My app.ini file contains:

REVERSE_PROXY_LIMIT = 1 #(tried 2, too)
REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8, 10.200.20.100/24

Under REVERSE_PROXY_TRUSTED_PROXIES I have tried:

Just *
10.200.20.0/24
10.200.20.100/32

CaddyFile contains:

https://git.mydomain.com {
  reverse_proxy 10.200.20.125:3000 {
    header_up X-Real-IP {remote_host}
    header_up X-Forwarded-For {remote_host}
  }
}

Other applications behind the same Caddy installation do not have this problem and are correctly picking up both X-Real-IP or X-Forwarded-For.

Using the PHP snippet below (with completely vanilla NGINX+PHP), I was able to double check that Caddy is in fact passing the correct headers:

<?php
echo $_SERVER['HTTP_X_FORWARDED_FOR'];
echo "<br>";
echo $_SERVER['HTTP_X_REAL_IP'];
?>

I initially attempted the above with CloudFlare in front of Caddy with no luck and posted my issue on the forum - here.
I'm now attempting it without CloudFlare in front of Caddy.

Gitea Version

1.18.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Debian 11

How are you running Gitea?

Binary + systemd

Database

MySQL

Originally created by @hwcltjn on GitHub (Jan 24, 2023). ### Description I seem completely unable to pass an incoming user's real IP (`X-Real-IP` or `X-Forwarded-For`) to Gitea when using Caddy as a reverse proxy. In both the failed login and access logs, Gitea is showing Caddy's IP address. Caddy version - 2.6.2 My `app.ini` file contains: ``` REVERSE_PROXY_LIMIT = 1 #(tried 2, too) REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8, 10.200.20.100/24 ``` Under `REVERSE_PROXY_TRUSTED_PROXIES` I have tried: - Just `*` - 10.200.20.0/24 - 10.200.20.100/32 `CaddyFile` contains: ``` https://git.mydomain.com { reverse_proxy 10.200.20.125:3000 { header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} } } ``` Other applications behind the same Caddy installation do not have this problem and are correctly picking up both `X-Real-IP` or `X-Forwarded-For`. Using the PHP snippet below (with completely vanilla NGINX+PHP), I was able to double check that Caddy is in fact passing the correct headers: ```php <?php echo $_SERVER['HTTP_X_FORWARDED_FOR']; echo "<br>"; echo $_SERVER['HTTP_X_REAL_IP']; ?> ``` --- I initially attempted the above _with_ CloudFlare in front of Caddy with no luck and posted my issue on the forum - [here](https://discourse.gitea.io/t/unable-to-pass-real-ip-to-gitea-behind-cf-and-caddy/6580). I'm now attempting it _without_ CloudFlare in front of Caddy. ### Gitea Version 1.18.1 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System Debian 11 ### How are you running Gitea? Binary + systemd ### Database MySQL

GiteaMirror added the type/question label 2025-11-02 08:59:41 -06:00

GiteaMirror closed this issue

2025-11-02 08:59:41 -06:00

GiteaMirror commented

2025-11-02 08:59:42 -06:00

@zeripath commented on GitHub (Jan 24, 2023):

In which ini section have you put the REVERSE_PROXY_TRUSTED_PROXIES setting in? It needs to be within [security]

The IPs listed there need to contain the IP address of the proxy as it appears on the request from the proxy.

Are there any logs?

@zeripath commented on GitHub (Jan 24, 2023): In which ini section have you put the REVERSE_PROXY_TRUSTED_PROXIES setting in? It needs to be within `[security]` The IPs listed there need to contain the IP address of the proxy as it appears on the request from the proxy. Are there any logs?

GiteaMirror commented

2025-11-02 08:59:42 -06:00

@hwcltjn commented on GitHub (Jan 24, 2023):

Oh @zeripath , I'm an idiot.
I had them under [server] - I can't believe that's what it was 🤦‍♂️

Thank you!

@hwcltjn commented on GitHub (Jan 24, 2023): Oh @zeripath , I'm an idiot. I had them under `[server]` - I can't believe that's what it was 🤦‍♂️ Thank you!

GiteaMirror commented

2025-11-02 08:59:42 -06:00

@techknowlogick commented on GitHub (Jan 24, 2023):

@hwcltjn not at all. Sometimes we all need a rubber duck ❤️

@techknowlogick commented on GitHub (Jan 24, 2023): @hwcltjn not at all. Sometimes we all need a rubber duck ❤️

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#10151