All threads / Reverse Proxy with Caddy and Custom (Dynamic) Domain Names
Ask A Question


You’re not receiving notifications from this thread.

Reverse Proxy with Caddy and Custom (Dynamic) Domain Names

David Lowry asked in Servers

TL;DR - how do I override the base_url (akin to CSRF protection?) with a set of valid domains?

Hi all

I run a PaaS of sorts which at present is hosted on Heroku and I have to map all my custom domains 1:1 with Heroku generated CNAMEs. This is a bit painful to maintain after 15-20 domains but I am trying to move away from this model for a different reason. I need to know the user's IPv6 address if it is what is presented by their browser (because my video CDN CAN see ipv6 and it breaks token authentication when I generate against ipv4). Heroku doesn't support this as its router is ipv4 only.

Scenario: I have a reverse proxy set up and functioning in Caddy BUT it fails at the form submission stage.

  • My app (on heroku) responds at
  • My goal is to add ipv6 awareness and a little protection in front of my app server
  • My reverse proxy proxies to that domain and presents the site i'm requesting because I pass that through by forwarding the X-CustomDomain or similar (in Application Controller)
  • I attempt to sign in, sign up and my logs read "HTTP Origin header ( didn't match request.base_url (" on the form submission

I think my question is how do I override this base_url problem with a set of valid domains?

Heroku will proxy blindly via that specific URL but if I put something else in the regular x-REFERER header an SSL error occurs.

Hope that makes sense.

For clarity, my Caddy config set is below. I've commented out a few things that I added and have removed because Caddy does them automatically. {
    reverse_proxy {
        header_up Host {upstream_hostport}
        header_up X-Forwarded-Host
        header_up X-MyCustomReferrer {host} #""
        #header_up X-Real-IP {remote_host}
        #header_up X-Forwarded-Proto {scheme}
        #header_up Access-Control-Allow-Origin *
        #header_up Access-Control-Allow-Credentials true
        #header_up Access-Control-Allow-Headers Cache-Control,Content-Type
    log {
        output file /var/log/caddy/heroku.log

In my rails app I do something like this (in a tenancy type manner)

      custom_domain = request.headers['HTTP_X_CUSTOMREFERRER'] # or nil
      ac = Account.find_site(request, custom_domain) # this uses request.domain and .subdomain where heroku knows the domains

PS Yes I'm building out a staging env in Hatchbox but a live migration is a bit much mid-season.

Rest-assured I overthought this!!

Host and Forwarded host only required and reverse proxy to the actual heroku app (this may not be necessary, as opposed to my other CNAME'd end-points). The below works., {
        reverse_proxy {
                header_up Host {upstream_hostport}
                header_up X-Forwarded-Host {host}
        log {
               #  blah
Join the discussion

Want to stay up-to-date with Ruby on Rails?

Join 69,840+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.

    logo Created with Sketch.

    Screencast tutorials to help you learn Ruby on Rails, Javascript, Hotwire, Turbo, Stimulus.js, PostgreSQL, MySQL, Ubuntu, and more. Icons by Icons8

    © 2023 GoRails, LLC. All rights reserved.