Upgrade caddy (#828)

Co-authored-by: Dax McDonald` <31839142+daxmc99@users.noreply.github.com>

Author: andreeleuterio

caddy/builtins/http.Caddyfile

@@ -4,4 +4,9 @@
 
 :80
 
-reverse_proxy {$SRC_FRONTEND_ADDRESSES}
+# Add the reverse proxies IPs (or IP CIDR ranges) to the trusted_proxies list.
+# More information in https://caddyserver.com/docs/caddyfile/directives/reverse_proxy
+reverse_proxy {
+	to {$SRC_FRONTEND_ADDRESSES}
+	trusted_proxies 0.0.0.0/0
+}

caddy/builtins/https.custom-cert.Caddyfile

@@ -1,4 +1,4 @@
-# Serves Sourcegraph over HTTPS, using a custom SSL certificate/key pair 
+# Serves Sourcegraph over HTTPS, using a custom SSL certificate/key pair
 # that's bind mounted from the host to /sourcegraph.pem and /sourcegraph.key.
 #
 # Caddyfile documentation: https://caddyserver.com/docs/caddyfile
@@ -7,10 +7,15 @@
 
 # Redirects all HTTP traffic to HTTPS (using custom SSL certificates disables the automatic HTTPS feature of Caddy, see https://caddyserver.com/docs/automatic-https)
 @http {
-   protocol http
+	protocol http
 }
 redir @http https://{host}{uri}
 
 tls /sourcegraph.pem /sourcegraph.key
 
-reverse_proxy {$SRC_FRONTEND_ADDRESSES}
+# Add the reverse proxies IPs (or IP CIDR ranges) to the trusted_proxies list.
+# More information in https://caddyserver.com/docs/caddyfile/directives/reverse_proxy
+reverse_proxy {
+	to {$SRC_FRONTEND_ADDRESSES}
+	trusted_proxies 0.0.0.0/0
+}

caddy/builtins/https.lets-encrypt-prod.Caddyfile

@@ -1,21 +1,25 @@
 # Serves Sourcegraph over HTTPS, using Caddy's automatic HTTPS certificate feature:
 # https://caddyserver.com/docs/automatic-https
 #
-# 🚨 Warning: If your DNS and Caddy configuration aren't properly configured (as 
-#             specified in https://caddyserver.com/docs/automatic-https), you can 
-#             run into Let's Encrypt rate limits which can block your certificates 
-#             for up to a week. 
-#             It's strongly recommened that you use the staging Caddyfile 
+# 🚨 Warning: If your DNS and Caddy configuration aren't properly configured (as
+#             specified in https://caddyserver.com/docs/automatic-https), you can
+#             run into Let's Encrypt rate limits which can block your certificates
+#             for up to a week.
+#             It's strongly recommened that you use the staging Caddyfile
 #             (https.lets-encrypt-staging.Caddyfile) to test your
-#             configuration before switching to this production one. 
+#             configuration before switching to this production one.
 #
 # Caddyfile documentation: https://caddyserver.com/docs/caddyfile
 #
-
 {
-    email {$SRC_ACME_EMAIL}
+	email {$SRC_ACME_EMAIL}
 }
 
 {$SRC_SITE_ADDRESS}
 
-reverse_proxy {$SRC_FRONTEND_ADDRESSES}
+# Add the reverse proxies IPs (or IP CIDR ranges) to the trusted_proxies list.
+# More information in https://caddyserver.com/docs/caddyfile/directives/reverse_proxy
+reverse_proxy {
+	to {$SRC_FRONTEND_ADDRESSES}
+	trusted_proxies 0.0.0.0/0
+}

caddy/builtins/https.lets-encrypt-staging.Caddyfile

@@ -1,27 +1,31 @@
 # Serves Sourcegraph over HTTPS, using Caddy's automatic HTTPS certificate feature:
 # https://caddyserver.com/docs/automatic-https
-# 
-# Note: This configuration uses Let's Encrypt's staging environment. This will 
-# allow you to ensure that everything is correctly configured (with a reduced 
+#
+# Note: This configuration uses Let's Encrypt's staging environment. This will
+# allow you to ensure that everything is correctly configured (with a reduced
 # chance of running into rate limit issues). Note that using this configuration
 # issues a fake certificate (for testing purposes) instead of a trusted one.
 #
-# 🚨 Warning: If your DNS and Caddy configuration aren't properly configured (as 
-#             specified in https://caddyserver.com/docs/automatic-https), you can 
-#             run into Let's Encrypt rate limits which can block your certificates 
-#             for up to a week. 
+# 🚨 Warning: If your DNS and Caddy configuration aren't properly configured (as
+#             specified in https://caddyserver.com/docs/automatic-https), you can
+#             run into Let's Encrypt rate limits which can block your certificates
+#             for up to a week.
 #             It's strongly recommened that you use this Caddyfile to test your
-#             configuration before switching to the production one. 
+#             configuration before switching to the production one.
 #
 # Caddyfile documentation: https://caddyserver.com/docs/caddyfile
 #
-
 {
-    # Use Let's Encrypt's staging environment
-    acme_ca "https://acme-staging-v02.api.letsencrypt.org/directory"
-    email {$SRC_ACME_EMAIL}
+	# Use Let's Encrypt's staging environment
+	acme_ca "https://acme-staging-v02.api.letsencrypt.org/directory"
+	email {$SRC_ACME_EMAIL}
 }
 
 {$SRC_SITE_ADDRESS}
 
-reverse_proxy {$SRC_FRONTEND_ADDRESSES}
+# Add the reverse proxies IPs (or IP CIDR ranges) to the trusted_proxies list.
+# More information in https://caddyserver.com/docs/caddyfile/directives/reverse_proxy
+reverse_proxy {
+	to {$SRC_FRONTEND_ADDRESSES}
+	trusted_proxies 0.0.0.0/0
+}

docker-compose/docker-compose.yaml

@@ -70,7 +70,7 @@ services:
   # https://caddyserver.com/docs/caddyfile
   caddy:
     container_name: caddy
-    image: 'index.docker.io/caddy:2.4.6-alpine@sha256:b5a59725783bab0d65803f87028c68dd6611ca6184040bd98b18797cbe26bdd9'
+    image: 'index.docker.io/caddy:2.5.1-alpine@sha256:6e62b63d4d7a4826f9e93c904a0e5b886a8bea2234b6569e300924282a2e8e6c'
     cpus: 4
     mem_limit: '4g'
     environment:
@@ -85,6 +85,9 @@ services:
     volumes:
       - 'caddy:/caddy-storage'
       #
+      # IMPORTANT: if a customer uses a reverse proxy in front of Caddy
+      # the configuration files below must be updated to include trusted_proxies
+      # 
       # Comment out the following line when using HTTPS with either Let's Encrypt or custom certificates
       - '../caddy/builtins/http.Caddyfile:/etc/caddy/Caddyfile'
       #