From e59699ab1af6390f4e6707c266839ce5a813cf3d Mon Sep 17 00:00:00 2001
From: Catherine <whitequark@whitequark.org>
Date: Sun, 21 Sep 2025 14:24:25 +0000
Subject: [PATCH] Configure Caddy to use PROXY protocol for `X-Forwarded-For`.

---
 conf/Caddyfile | 12 ++++++++++++
 fly.toml       |  5 +++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/conf/Caddyfile b/conf/Caddyfile
index 2fd9ce6..dee9cc0 100644
--- a/conf/Caddyfile
+++ b/conf/Caddyfile
@@ -1,3 +1,13 @@
+(proxy) {
+	listener_wrappers {
+		proxy_protocol {
+			timeout 1s
+			allow {$ALLOW_PROXY}
+		}
+		tls
+	}
+}
+
 {
 	persist_config off
 
@@ -33,11 +43,13 @@
 	servers :80 {
 		name http
 		protocols h1 h2c
+		import proxy
 	}
 
 	servers :443 {
 		name https
 		protocols h1 h2
+		import proxy
 	}
 
 	servers {$UDP_BIND_TO:0.0.0.0}:443 {
diff --git a/fly.toml b/fly.toml
index 9be959a..09a96c0 100644
--- a/fly.toml
+++ b/fly.toml
@@ -18,6 +18,7 @@ memory = 512
 
 [env]
 UDP_BIND_TO = "fly-global-services"
+ALLOW_PROXY = "172.16.0.0/16"
 AUTOMEMLIMIT = "0.25"
 
 [[files]]
@@ -27,14 +28,14 @@ secret_name = "GIT_PAGES_CONFIG"
 [[services]]
 internal_port = 80
 protocol = "tcp"
-ports = [{ port = 80 }]
+ports = [{ port = 80, handlers = ["proxy_proto"], proxy_proto_options = { version = "v2" } }]
 auto_stop_machines = "stop"
 auto_start_machines = true
 
 [[services]]
 internal_port = 443
 protocol = "tcp"
-ports = [{ port = 443 }]
+ports = [{ port = 443, handlers = ["proxy_proto"], proxy_proto_options = { version = "v2" } }]
 auto_stop_machines = "stop"
 auto_start_machines = true