Support PROXY Protocol #2798
Comments
ainar-g
added
feature request
P3: Medium
research
|
I am also interested in this feature. Right now, I am using Kubernetes with Traefik and MetalLB to expose ports on my nodes. All my services are behind Traefik except AGH because of the missing distinction of the clients in AGH. I seeh @ameshkov has remarked it to be in the mileston v1.0.0 would love to see it earlier. ;-) |
|
Same Here. |
|
@Akruidenberg don't forget to thumbs up first post. |
|
Although AdGuard Home does not support this feature at this time, the same effect can be achieved with go-mmproxy. https://github.com/path-network/go-mmproxy The go-mmproxy gives AdGuard Home the ability to obtain the original IP of the client sent by the load balancer via PROXY Protocol. |
|
Oh, there's a ready-to-use golang code for that? That's nice, makes it easier to implement inside AGH when we finally are ready to. Meanwhile, please use go-mmproxy for that. |
Sadly, there is no docker support for mmproxy. |
|
@Akruidenberg https://andrewmichaelsmith.com/2020/02/preserving-client-ip-in-kubernetes/ |
|
i try it (https://hub.docker.com/r/unixfox/go-mmproxy) but do not support ipv6 map $ssl_preread_server_name $dot_map { alist.example.com dot; upstream dot{ server { proxy_protocol on; } my docker go-mmproxy config : #!/bin/sh ip -6 rule add from ::1/128 iif lo table 123 echo -en "0.0.0.0/0\n::/0\n" > allowed-networks.txt my adguard home listen 853 for dot
|
|
Bump. I need this feature for Nginx in order to be able to securely and correctly proxy DoT and DoUDP / DoTCP. I'm quite unsure why this has been put on the back burner, it's quite an important feature to add. |
|
It would be really nice if AdGuard Home worked on adding support for The PROXY protocol, by doing so it would allow us to identify DoT clients while using a reverse proxy. I'm currently running AdGuard Home together with Traefik in Docker using Docker Compose. Traefik is really convenient for routing to multiple Docker containers using labels, and for managing multiple certificates without human input. docker-compose.yamlversion: "3"
services:
traefik:
command:
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --certificatesresolvers.myresolver.acme.dnschallenge=true
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=duckdns
- --certificatesresolvers.myresolver.acme.email=webmaster@👀.duckdns.org
- --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
- --entrypoints.websecure.address=:443
- --entrypoints.web.address=:80
- --entrypoints.web.http.redirections.entrypoint.to=websecure
- --entrypoints.dot.address=:853
container_name: traefik
depends_on:
- adguardhome
environment:
- DUCKDNS_TOKEN=👀
image: traefik:v3.0
ports:
- 80:80
- 443:443
- 853:853
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./letsencrypt:/letsencrypt
adguardhome:
container_name: adguardhome
image: adguard/adguardhome
labels:
- traefik.enable=true
- traefik.http.routers.adguardhome-https.rule=Host(`adguardhome.👀.duckdns.org`)
- traefik.http.routers.adguardhome-https.entrypoints=websecure
- traefik.http.routers.adguardhome-https.tls.certresolver=myresolver
- traefik.http.services.adguardhome-https.loadbalancer.server.port=3000
- traefik.http.routers.adguardhome-https.service=adguardhome-https
- traefik.tcp.routers.adguardhome_dot.rule=HostSNI(`adguardhome.👀.duckdns.org`) || HostSNIRegexp(`^.+\.adguardhome\.👀\.duckdns\.org$`)
- traefik.tcp.routers.adguardhome_dot.entrypoints=dot
- traefik.tcp.routers.adguardhome_dot.tls.domains[0].main=adguardhome.👀.duckdns.org
- traefik.tcp.routers.adguardhome_dot.tls.domains[0].sans=*.adguardhome.👀.duckdns.org
- traefik.tcp.routers.adguardhome_dot.tls.certresolver=myresolver
# - traefik.tcp.services.adguardhome_dot.loadbalancer.proxyprotocol.version=2
# - traefik.tcp.routers.adguardhome_dot.service=adguardhome_dot
restart: unless-stopped
volumes:
- ./adguardhome/work:/opt/adguardhome/work
- ./adguardhome/conf:/opt/adguardhome/confAdGuardHome.yamldns:
trusted_proxies:
- 127.0.0.0/8
- ::1/128
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
tls:
enabled: true
server_name: adguardhome.👀.duckdns.org
allow_unencrypted_doh: true |
This comment was marked as duplicate.
This comment was marked as duplicate.
|
I just wasted 3 nights to do passing real-IP through DoT and found out that AG does not support it. I think this is an important feature need to implement since DoT is used in Android device a lot. |
|
Bumping this thread since as of 2024, this is still unsupported and i truly believe that we should not resort to unsafe workarounds with go-mmproxy |
|
I would also appreciate support for that. I've moved from static blocklist zones to AdGuard recently, so I could change them dynamically should I need to – but since my AdGuard is behind CoreDNS, I am unable to use per-client filtering. |
When using AGH through a load balancer or reverse proxy (probably because I don't want to expose the AGH directly or just want to high availability), DoH can get the user's original IP address through the HTTP header but regular DNS and DoT cannot.
This isn't good for use cases where the AGH is deployed on a server. This is especially important for sites that use GeoDNS for CDN allocation because AGH needs the user's original IP to send the ECS to the recursive DNS server.
This situation is also mentioned in this issue (#1789), where @ameshkov says, "Unfortunately, there are no such options for TLS/TCP."
But in fact, both Nginx and HAProxy can use PROXY Protocol to send the user's real IP over Layer 4. nginx.com has written an article describing how to use Nginx as a DoH / DoT gateway. We just need to add proxy_protocol on; in the stream section to send the user's original IP via PROXY Protocol, but this requires AGH support.
The text was updated successfully, but these errors were encountered: