You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When Caddy sends the web request to the ask endpoint for on_demand_tls, there is no (easy) way to obtain the remote IP triggering the on demand TLS logic.
My proposal is to add this (and any other relevant) information to the request HTTP headers by default, but maybe it could make sense to add a configuration option.
The text was updated successfully, but these errors were encountered:
Matt and I discussed this internally last month, and I think the conclusion was that we should not include it in the actual ask request. Matt's opinion was that it's not appropriate to use the remote IP as a decision vector because it's unrelated to the task at hand.
Instead, we can log this info (at debug level) with a specific logger name (like tls.ask) and you can configure a logger which only includes those logs, and that can contain the remote IP. You can read/process those logs as needed to do rate limiting.
Yeah; thanks for the question, but I do think the client IP is irrelevant in the decision to obtain a certificate and will lead to a false sense of security. The remote IP can't always be trusted either. Ultimately I think it would be a false sense of security. Edit: Can you tell how tired I was when I wrote this.
I'm potentially willing to be convinced otherwise, but it'd have to be a very strong argument IMO.
Closing for now, but feel free to continue discussion and we can reopen if needed.
When Caddy sends the web request to the
ask
endpoint foron_demand_tls
, there is no (easy) way to obtain the remote IP triggering the on demand TLS logic.My proposal is to add this (and any other relevant) information to the request HTTP headers by default, but maybe it could make sense to add a configuration option.
The text was updated successfully, but these errors were encountered: