reverseproxy: fix X-Forwarded-* headers for Unix socket requests#7463
Merged
mholt merged 1 commit intocaddyserver:masterfrom Feb 10, 2026
Merged
Conversation
XYenon
force-pushed
the
fix/reverse-proxy-unix-socket-xff
branch
from
9838a97 to
9e9c49d
Compare
When a request arrives via a Unix domain socket (RemoteAddr == "@"), net.SplitHostPort fails, causing addForwardedHeaders to strip all X-Forwarded-* headers even when the connection is trusted via trusted_proxies_unix. Handle Unix socket connections before parsing RemoteAddr: if untrusted, strip headers for security; if trusted, let clientIP remain empty (no peer IP for a Unix socket hop) and fall through to the shared header logic, preserving the existing XFF chain without appending a spurious entry. Amp-Thread-ID: https://ampcode.com/threads/T-019c4225-a0ad-7283-ac56-e2c01eae1103 Co-authored-by: Amp <amp@ampcode.com>
XYenon
force-pushed
the
fix/reverse-proxy-unix-socket-xff
branch
from
9e9c49d to
636350d
Compare
XYenon
added a commit
to XYenon/nur-packages
that referenced
this pull request
Feb 9, 2026
Cherry-pick from caddyserver/caddy#7463 Amp-Thread-ID: https://ampcode.com/threads/T-019c4294-d7bb-714c-a3e1-be5434420e1e Co-authored-by: Amp <amp@ampcode.com>
Member
|
FYI @cseufert |
cseufert
approved these changes
Feb 10, 2026
This was referenced Feb 20, 2026
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a follow-up improvement to #7265, which added
trusted_proxies_unixsupport at the server layer.Problem
While #7265 correctly determines trust status for Unix domain socket connections in
determineTrustedProxy, thereverse_proxymodule'saddForwardedHeadersfunction does not account for this case. WhenRemoteAddris"@"(Unix socket),net.SplitHostPortfails, causing allX-Forwarded-For,X-Forwarded-Proto, andX-Forwarded-Hostheaders to be unconditionally stripped — even when the connection is trusted viatrusted_proxies_unix.This means upstream applications behind a
reverse_proxydirective never receive forwarded headers when Caddy itself listens on a Unix socket.Fix
Check for Unix socket connections (
RemoteAddr == "@") before attemptingSplitHostPort:trusted_proxies_unix), preserve existingX-Forwarded-*headers from trusted proxies.Tests
Added three test cases in
headers_test.go:TestAddForwardedHeaders_UnixSocketTrusted— trusted Unix socket with existing headers are preservedTestAddForwardedHeaders_UnixSocketUntrusted— untrusted Unix socket has headers strippedTestAddForwardedHeaders_UnixSocketTrustedNoExistingHeaders— trusted Unix socket with no prior headers falls back to defaultsAssistance Disclosure
Amp (Claude) identified the bug, generated the fix and tests. I reviewed and verified the code is correct.