From ac6d8f01baab374a68a77c68d1b1f32364507ad6 Mon Sep 17 00:00:00 2001
From: xboard <xboard@xboard.one>
Date: Thu, 23 Apr 2026 11:39:58 +0800
Subject: [PATCH] fix(caddy): preserve X-Forwarded-For chain so Laravel
 TrustProxies resolves real client IP

---
 .docker/caddy/Caddyfile       | 9 +++++++++
 .docker/caddy/Caddyfile.split | 3 +++
 2 files changed, 12 insertions(+)

diff --git a/.docker/caddy/Caddyfile b/.docker/caddy/Caddyfile
index 48ccbe7..62f7a7a 100644
--- a/.docker/caddy/Caddyfile
+++ b/.docker/caddy/Caddyfile
@@ -13,6 +13,9 @@
 		output stdout
 		format console
 	}
+	servers {
+		trusted_proxies static 0.0.0.0/0 ::/0
+	}
 }
 
 :{$CADDY_LISTEN_PORT:7001} {
@@ -21,6 +24,12 @@
 
 	reverse_proxy 127.0.0.1:{$OCTANE_INTERNAL_PORT:7002} {
 		header_up Host {host}
+		# X-Forwarded-For is auto-appended with our remote_addr by Caddy
+		# (enabled by the global trusted_proxies above), so Octane receives the
+		# full proxy chain and Laravel's TrustProxies middleware resolves the
+		# real client IP using its own trust list. We additionally surface the
+		# directly-connected peer as X-Real-IP for downstream consumers (logs,
+		# admin tools) that read it directly without TrustProxies.
 		header_up X-Real-IP {remote_host}
 	}
 }
diff --git a/.docker/caddy/Caddyfile.split b/.docker/caddy/Caddyfile.split
index 653a6dc..e4cd500 100644
--- a/.docker/caddy/Caddyfile.split
+++ b/.docker/caddy/Caddyfile.split
@@ -9,6 +9,9 @@
 		output stdout
 		format console
 	}
+	servers {
+		trusted_proxies static 0.0.0.0/0 ::/0
+	}
 }
 
 :7001 {