mirror of
https://github.com/Dokploy/templates.git
synced 2026-07-10 16:35:27 +02:00
Defaulting TRUSTED_PROXIES to 0.0.0.0/0 makes Caddy trust X-Forwarded-For / X-Real-IP from any peer, allowing client-IP spoofing (CWE-348 / CWE-290) that poisons rate-limiting and audit logs. In Dokploy the only upstream is Traefik on the private dokploy-network, so trust Caddy's built-in `private_ranges` token instead. Legitimate forwarded client IPs (Traefik is a private peer) still resolve correctly; XFF from public-IP peers is rejected if the proxy is ever exposed directly. Overridable via env for custom topologies. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>