caddyhttp: Add server-level `trusted_proxies` config (#5103)

author: Francis Lavoie <lavofr@gmail.com> 2023-01-10 00:08:23 -0500
committer: GitHub <noreply@github.com> 2023-01-10 00:08:23 -0500
commit: 223cbe3d0b50487117c785f0755bb80a9ee65010 (patch)
tree: cf673da335e7470a50a7f1709464ec3f05e67291 /modules/caddyhttp/reverseproxy/reverseproxy.go
parent: 66ce0c5c635c4ff254ccb92123711534b6461b35 (diff)
1 files changed, 2 insertions, 4 deletions
diff --git a/modules/caddyhttp/reverseproxy/reverseproxy.go b/modules/caddyhttp/reverseproxy/reverseproxy.go
index 3adec3d..88d98e8 100644
--- a/modules/caddyhttp/reverseproxy/reverseproxy.go
+++ b/modules/caddyhttp/reverseproxy/reverseproxy.go
@@ -701,16 +701,14 @@ func (h Handler) addForwardedHeaders(req *http.Request) error {
 
 	// Client IP may contain a zone if IPv6, so we need
 	// to pull that out before parsing the IP
-	if before, _, found := strings.Cut(clientIP, "%"); found {
-		clientIP = before
-	}
+	clientIP, _, _ = strings.Cut(clientIP, "%")
 	ipAddr, err := netip.ParseAddr(clientIP)
 	if err != nil {
 		return fmt.Errorf("invalid IP address: '%s': %v", clientIP, err)
 	}
 
 	// Check if the client is a trusted proxy
-	trusted := false
+	trusted := caddyhttp.GetVar(req.Context(), caddyhttp.TrustedProxyVarKey).(bool)
 	for _, ipRange := range h.trustedProxies {
 		if ipRange.Contains(ipAddr) {
 			trusted = true
author	Francis Lavoie <lavofr@gmail.com>	2023-01-10 00:08:23 -0500
committer	GitHub <noreply@github.com>	2023-01-10 00:08:23 -0500
commit	223cbe3d0b50487117c785f0755bb80a9ee65010 (patch)
tree	cf673da335e7470a50a7f1709464ec3f05e67291 /modules/caddyhttp/reverseproxy/reverseproxy.go
parent	66ce0c5c635c4ff254ccb92123711534b6461b35 (diff)