-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx_proxy: X-Forwarded-For not working for IPv6 addresses #2654
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This is still an issue despite being ignored by others. :( |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Yep, still an issue. |
Fixed with the following configuration.yaml changes:
Do not use these in production. |
I can confirm that I'm experiencing the same issue. TL;DR I think it happens because HAOS add-on docker containers don't have IPv6 addresses, but I'm out of my depth here. Home Assistant OS: 12.2
This is also a problem if you are trying to use IP banning, as failed logins from IPv6 clients all appear to come from 172.30.32.1. Hypothesis I think this has something to do with the plugin docker containers not having IPv6 addresses, but I don't know enough about HTTP and the X-Forwarded-For header to know for sure. On my system, the Nginx Proxy add-on has address 172.30.33.2 and the docker network's gateway is 172.30.32.1. The whole docker network is 172.30.32.0/23, which is included in my trusted_proxies. The Nginx container has an IPv6 port forwarded, ":::443->443/tcp". I think that when a request comes to the HAOS machine to IPv6 port 443, before the packet is forwarded to the Nginx container, its source is translated to the docker network gateway (172.30.32.1) while this doesn't happen with a request over IPv4. Could this cause a mismatch between the packet's source IP and some IP address located in the HTTP header? Or some other issue? Alternate workaround Instead of disabling IPv6 on the client, I am working around this by having no AAAA records for my Home Assistant domain name, so all clients access it over IPv4. Additional information Under specific circumstances, I can get HA to report a failed login from an IPv6 address. I have another reverse proxy,
If So Home Assistant is perfectly capable of using IPv6 addresses from within the X-Forwarded-For list. But something breaks when the immediate request to the Nginx reverse proxy add-on is done over IPv6, which I think is because the docker containers only have IPv4 addresses. |
Also having the same issue... :/ |
Describe the issue you are experiencing
I've spent a good number of hours trying to figure out why the X-Forwarded-For didn't seem to be working at all as everything seems to be reporting the client IP as '172.30.32.1'.
Eventually I've found that it does actually work if I turn off IPv6 on the client device that I'm browsing from.
I have correctly updated my configuration.yaml:
I've even tried setting with a bunch of various combinations of these too, but they don't make any difference:
What type of installation are you running?
Home Assistant OS
Which operating system are you running on?
Home Assistant Operating System
Which add-on are you reporting an issue with?
NGINX Home Assistant SSL proxy
What is the version of the add-on?
3.1.5
Steps to reproduce the issue
Anything in the Supervisor logs that might be useful for us?
No response
Anything in the add-on logs that might be useful for us?
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: