From f464553da43366316ddeec048f54eb66e88a298d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maxime=20H=C3=A9lias?= <maximehelias16@gmail.com>
Date: Thu, 19 Jan 2023 17:57:39 +0100
Subject: [PATCH] docs: configuring a load balancer or a reverse proxy

---
 docs/production.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/production.md b/docs/production.md
index 663f329..f7761b1 100644
--- a/docs/production.md
+++ b/docs/production.md
@@ -89,3 +89,16 @@ docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
 
 If you want to deploy your app on a cluster of machines, you can use [Docker Swarm](https://docs.docker.com/engine/swarm/stack-deploy/),
 which is compatible with the provided Compose files.
+
+## Configuring a Load Balancer or a Reverse Proxy
+
+Since Caddy 2.5, XFF values of incoming requests will be ignored to prevent spoofing.
+So if Caddy is not the first server being connected to by your clients (for example when a CDN is in front of Caddy), you may configure `trusted_proxies` with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers.
+As a shortcut, `private_ranges` may be configured to trust all private IP ranges.
+
+```diff
+-php_fastcgi unix//var/run/php/php-fpm.sock
++php_fastcgi unix//var/run/php/php-fpm.sock {
++    trusted_proxies private_ranges
++}
+```