Some time ago I had the issue of needing to run Concrete CMS behind Caddy as a reverse proxy. It didn’t work out of the box - Concrete suddenly got stuck in an endless redirect loop.
Fortunately, Concrete CMS provides a configuration token specifically for this case:
In the file application/config/concrete.php:
security.trusted_proxies.ips
To avoid having to piece this together manually, I wrote a small configuration function that automatically detects the proxy based on the server setup, and even makes an exception for the local development environment.
<?php
return (function() {
$cfg = [
];
if ($_SERVER["SERVER_NAME"] != "localhost") {
$remoteIp = $_SERVER['REMOTE_ADDR'];
$cfg['security'] = [
'trusted_proxies' => [
'ips' => [
$remoteIp
],
'headers' => -1,
],
];
}
return $cfg;
})();
The function is self-invoking, so it directly returns the configuration array to Concrete CMS. It simply sets the appropriate configuration token to the IP of the requesting server.
In more recent versions of Concrete CMS, I’ve noticed that I no longer need this setting at all. Can anyone confirm this?
Otherwise: Happy coding!