Trusts addresses from the client provided X-Forwarded-For header

[Gunni]

Arrive at a page blocked using ipfilter.

Spoof the X-Forwarded-For header with a permitted IP.

Refresh.

Access granted...

[Gunni]

Just discovered the strict keyword, not documented on https://caddyserver.com/docs/http.ipfilter

This behaviour is a bad default.

Suggestion: default to strict but allow the admin to provide an array of trusted proxy IPs where you can trust this header.