nginx_proxy: X-Forwarded-For not working for IPv6 addresses

[mijofa]

Describe the issue you are experiencing

I've spent a good number of hours trying to figure out why the X-Forwarded-For didn't seem to be working at all as everything seems to be reporting the client IP as '172.30.32.1'.
Eventually I've found that it does actually work if I turn off IPv6 on the client device that I'm browsing from.

I have correctly updated my configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

I've even tried setting with a bunch of various combinations of these too, but they don't make any difference:

- 172.30.0.0/16
- ::1
- 127.0.0.1
- 0.0.0.0/0 
- ::/0

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

NGINX Home Assistant SSL proxy

What is the version of the add-on?

3.1.5

Steps to reproduce the issue

1. Have working IPv6
2. Follow instructions to set up the add-on, including the configuration.yaml changes
3. Try to log in to Home Assistant with the wrong password via this add-on over IPv6
4. Login properly and you'll see a notification saying something like this:

   Login attempt or request with invalid authentication from 172.30.32.1. See the log for details.

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

No response

Additional information

No response

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[mijofa]

This is still an issue despite being ignored by others. :(

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[codyc1515]

Yep, still an issue.

[codyc1515]

Fixed with the following configuration.yaml changes:

http:
  trusted_proxies:
    - 172.30.0.0/16
    - ::1
    - 127.0.0.1
    - 0.0.0.0/0
    - ::/0
  use_x_forwarded_for: true

Do not use these in production.

[ianmtaylor1]

I can confirm that I'm experiencing the same issue. TL;DR I think it happens because HAOS add-on docker containers don't have IPv6 addresses, but I'm out of my depth here.

Home Assistant OS: 12.2
Home Assistant Core: 2024.5.0
Nginx Proxy Add-on: 3.9.0

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.32.0/23
    - 10.185.0.80   <-- another reverse proxy on my network.

This is also a problem if you are trying to use IP banning, as failed logins from IPv6 clients all appear to come from 172.30.32.1.

Hypothesis

I think this has something to do with the plugin docker containers not having IPv6 addresses, but I don't know enough about HTTP and the X-Forwarded-For header to know for sure. On my system, the Nginx Proxy add-on has address 172.30.33.2 and the docker network's gateway is 172.30.32.1. The whole docker network is 172.30.32.0/23, which is included in my trusted_proxies. The Nginx container has an IPv6 port forwarded, ":::443->443/tcp". I think that when a request comes to the HAOS machine to IPv6 port 443, before the packet is forwarded to the Nginx container, its source is translated to the docker network gateway (172.30.32.1) while this doesn't happen with a request over IPv4. Could this cause a mismatch between the packet's source IP and some IP address located in the HTTP header? Or some other issue?

Alternate workaround

Instead of disabling IPv6 on the client, I am working around this by having no AAAA records for my Home Assistant domain name, so all clients access it over IPv4.

Additional information

Under specific circumstances, I can get HA to report a failed login from an IPv6 address. I have another reverse proxy, wwwproxy, at 10.185.0.80 on the local network, which proxies connections from the internet. Its relevant Nginx configuration is:

server {
        server_name homeassistant.example.com;
        listen 80;
        listen [::]:80;
        listen [::]:443 ssl;
        listen 443 ssl; 
        location / {
                resolver 127.0.0.53; # systemd-resolved stub resolver
                proxy_buffering off;
                proxy_http_version 1.1;
                proxy_ssl_server_name on;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header X-Forwarded-Host $http_host;
                proxy_pass $scheme:https://homeassistant.example.com$request_uri;
        }
        ... SSL stuff ...
}

If homeassistant.example.com resolves only to an IPv4 address internally, so that wwwproxy forwards the request via IPv4 only, then IPv6 clients who access homeassistant.example.com via wwwproxy will have their correct IPv6 address reported for failed logins. (Notice that 10.185.0.80 is also in the trusted_proxies list above.)

So Home Assistant is perfectly capable of using IPv6 addresses from within the X-Forwarded-For list. But something breaks when the immediate request to the Nginx reverse proxy add-on is done over IPv6, which I think is because the docker containers only have IPv4 addresses.

[ianmtaylor1]

Related issues, no resolution though: #471, #2301

[david-rapan]

Also having the same issue... :/