Add remote IP to on_demand_tls ask endpoint HTTP headers

[RobertoNovelo]

When Caddy sends the web request to the ask endpoint for on_demand_tls, there is no (easy) way to obtain the remote IP triggering the on demand TLS logic.

My proposal is to add this (and any other relevant) information to the request HTTP headers by default, but maybe it could make sense to add a configuration option.

[francislavoie]

Matt and I discussed this internally last month, and I think the conclusion was that we should not include it in the actual ask request. Matt's opinion was that it's not appropriate to use the remote IP as a decision vector because it's unrelated to the task at hand.

Instead, we can log this info (at debug level) with a specific logger name (like tls.ask) and you can configure a logger which only includes those logs, and that can contain the remote IP. You can read/process those logs as needed to do rate limiting.

[mholt]

Yeah; thanks for the question, but I do think the client IP is irrelevant in the decision to obtain a certificate and will lead to a false sense of security. The remote IP can't always be trusted either. Ultimately I think it would be a false sense of security. Edit: Can you tell how tired I was when I wrote this.

I'm potentially willing to be convinced otherwise, but it'd have to be a very strong argument IMO.

Closing for now, but feel free to continue discussion and we can reopen if needed.

[francislavoie]

For ref #5940 is adding client_ip to the logs.