Connecting through a proxy causes two issues
- Nameless sees the address of your proxy instead of your users. This breaks IP bans and rate limiting. It is solved by sending the
Forwarded, or X-Forwarded-For, or X-Real-IP (not recommended) header from the proxy to the backend web server.
- The proxy may be using a different protocol and port. Usually, the proxy is HTTPS on port 443, but the backend webserver is HTTP on port 80. This breaks absolute URL generation. It is solved by sending the
X-Forwarded-Port and X-Forwarded-Proto headers from the proxy to the backend web server.
- CloudFlare does not support sending X-Forwarded-Port and X-Forwarded-Proto. Instead, ensure CloudFlare and your backend web server use the same port and protocol. Configure HTTPS on your backend web server. Change TLS mode from Flexible to Full (Strict)
- CloudFlare automatically sends the correct X-Forwarded-For header.
- Configure Trusted proxies
Add the following lines to your config file, in the location / {} block:
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
Also configure Trusted proxies.