From 79aa347f6a03943169e7f81e29a43882db7a3a44 Mon Sep 17 00:00:00 2001
From: Chris King <cking91977@gmail.com>
Date: Sun, 16 Feb 2025 01:16:36 -0800
Subject: [PATCH] Change default Authentik snippet to only modify X-Real-IP and
 X-Forwarded-Port headers Caddy passes through and sets other headers
 automatically Only use Cloudflare connecting IP header when request is coming
 from cloudflare

---
 caddy/config/Caddyfile | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/caddy/config/Caddyfile b/caddy/config/Caddyfile
index 4fd30d9..82e0c38 100644
--- a/caddy/config/Caddyfile
+++ b/caddy/config/Caddyfile
@@ -78,9 +78,17 @@
 	{args[0]}.tremendousturtle.tools {
 		import ttt-log {args[0]}
 		import tls
-		reverse_proxy authentik-app-1:9000 {
+		@not_cf header !CF-Connecting-IP
+		@cf header CF-Connecting-IP *
+
+		reverse_proxy @not_cf authentik-app-1:9000 {
+			header_up X-Real-IP {remote_host}
+			header_up X-Forwarded-Port {server_port}
+		}
+
+		reverse_proxy @cf authentik-app-1:9000 {
 			header_up X-Real-IP {http.request.header.CF-Connecting-IP}
-			header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
+			header_up X-Forwarded-Port {server_port}
 		}
 	}
 }