From 3442beba19757ae6603073fea4b0f2a6ee5f62cf Mon Sep 17 00:00:00 2001 From: fuomag9 <1580624+fuomag9@users.noreply.github.com> Date: Thu, 26 Feb 2026 01:25:08 +0100 Subject: [PATCH] fix: expand private_ranges to CIDRs before passing to caddy-blocker-plugin The blocker plugin only accepts literal IP/CIDR strings; Caddy's built-in 'private_ranges' shorthand is not understood by third-party modules. Expand it to the equivalent CIDR list at config-build time. Co-Authored-By: Claude Sonnet 4.6 --- src/lib/caddy.ts | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts index ee6d8c8b..e062155b 100644 --- a/src/lib/caddy.ts +++ b/src/lib/caddy.ts @@ -49,6 +49,22 @@ const DEFAULT_AUTHENTIK_HEADERS = [ const DEFAULT_AUTHENTIK_TRUSTED_PROXIES = ["private_ranges"]; +// The caddy-blocker-plugin accepts only literal IP/CIDR strings, not Caddy's +// "private_ranges" shorthand. Expand it before building the blocker config. +const PRIVATE_RANGES_CIDRS = [ + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + "127.0.0.0/8", + "fd00::/8", + "::1/128" +]; + +function expandPrivateRanges(proxies: string[]): string[] { + if (!proxies.includes("private_ranges")) return proxies; + return proxies.flatMap((p) => (p === "private_ranges" ? PRIVATE_RANGES_CIDRS : [p])); +} + type ProxyHostRow = { id: number; name: string; @@ -784,7 +800,7 @@ function buildBlockerHandler(config: GeoBlockSettings): Record if (config.allow_cidrs?.length) handler.allow_cidrs = config.allow_cidrs; if (config.allow_ips?.length) handler.allow_ips = config.allow_ips; - if (config.trusted_proxies?.length) handler.trusted_proxies = config.trusted_proxies; + if (config.trusted_proxies?.length) handler.trusted_proxies = expandPrivateRanges(config.trusted_proxies); if (config.fail_closed) handler.fail_closed = true; if (config.redirect_url) {