AGH no longer accepts X-Real-IP headers from trusted proxies

[immtelecom]

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

Custom port

Setup

On one machine

AdGuard Home version

v0.107.29

Description

What did you do?

I set up AdGuard Home with DoH, and I use Nginx to reverse proxy AdGuard Home's DoH

Expected result

The client IP address shown in the query log should be the real IP address of the client

Actual result

All are the IP addresses of my server

Screenshots (if applicable)

Additional information

There was no problem with previous versions, and in recent versions it started to do so. I thought someone would raise this issue

[dontcrash]

Same issue here, I can see all headers are sent correctly:

X-Forwarded-For: 172.16.20.20
X-Forwarded-Host: agh.domain.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik
X-Real-Ip: 172.16.20.20

My install is on Docker with Traefik doing a TCP proxy for 53 and standard https proxy for /dns-query
Inside the config for AdGuardHome:

trusted_proxies:
    - 127.0.0.1/32

Is this an issue because the proxy IP is localhost? I know Plex decided to now acknowledge the headers unless it's an RFC1918 address

[EugeneOne1]

@immtelecom, hello and apologies for late response. The trusted_proxiesfield is supposed to specify proxies, from which the real-IP-related headers should be considered. Where is Traefik proxy located? Is it just on the same machine or in the same container? Also, what networking mode are you using within the AGH's container? Perhaps, you may need to set the 10.0.12.7 to your trusted_proxies.

[dontcrash]

ImmTelecom is using Nginx, I am using Traefik. Personally I have tried setting trusted_proxies using CIDR notation as well as a standard IP address. My Traefik proxy is on the host network let's say 172.16.0.5 and then if I do a HTTPS proxy to adguardhome with the X-Forwarded-For and X-Real-IP headers set, even with trusted_proxies having 127.0.0.1/32 and 172.16.0.5/32, all of the requests show as coming from the Traefik proxy themselves and not the original machine that is in the X-Forwarded-For and X-Real-IP header.

[EugeneOne1]

@dontcrash, indeed, sorry for confusing. Could you please collect a verbose log for us? It'll show the real IP addresses and headers the AGH receives. You may send it to devteam@adguard.com, optionally redacted.

@immtelecom, the same questions are relevant for Nginx.

[immtelecom]

This configuration worked fine before.

location /dns-query {
  proxy_bind 127.0.0.1;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $remote_addr;
  proxy_set_header X-Forwarded-Host $http_host;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header Host $http_host;
  proxy_pass http://127.0.0.1:8080;
}

trusted_proxies:
  - 127.0.0.0/8
  - ::1/128

No longer works properly after recent updates

I added 10.0.12.0/22 to trusted_proxies and it works fine. But this shouldn't happen, I already have proxy_bind 127.0.0.1; configured in Nginx

[immtelecom]

[immtelecom]

[immtelecom]

I don't know how this happened. But when I set 10.0.12.7 to trusted_proxies the problem was solved

[EugeneOne1]

@immtelecom, the 127.0.0.1, a.k.a. localhost is almost always treated as current machine. Are you sure you haven't changed the environment, like Docker's networking mode? Also, if Nginx still proxies requests to 127.0.0.1? Because that would be quite weird if it did, and AdGuard Home received it from 10.0.12.7.

[immtelecom]

@EugeneOne1 I don't use Docker. everything is done in one system, no containers.

In netstat, nginx does use the 127.0.0.1 address to connect to AGH, but AGH shows that the connection is coming from 10.0.12.7. It's a bit complicated, and I don't know what's causing this

I will close this issue, it should not be a problem with AGH

[savely-krasovsky]

@EugeneOne1 I also have this problem. In my case Nginx and AdGuard installed at the same machine.

AdGuardHome.yaml:

[...]
trusted_proxies:
    - 127.0.0.1/8
    - ::1/128
[...]

nginx config:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_pass http://172.16.0.1:3000;

AdGuard Home GUI:

Don't understand...

[savely-krasovsky]

For some reason my Nginx was using public IP instead of local. So I used proxy_bind 127.0.0.1 to manually override it.

[immtelecom]

@EugeneOne1 I don't use Docker. everything is done in one system, no containers.

In netstat, nginx does use the 127.0.0.1 address to connect to AGH, but AGH shows that the connection is coming from 10.0.12.7. It's a bit complicated, and I don't know what's causing this

I will close this issue, it should not be a problem with AGH

I finally found out what was causing this problem today

iptables -t nat -A POSTROUTING -j MASQUERADE

After removing the iptables rule, everything is back to normal, no more packets from 10.0.12.7 to 127.0.0.1

[khad1r]

i think i am just to lazy
as the open port and acces is controled by the docker host
so mine was

[...]
trusted_proxies:
    - 127.0.0.1/8
    - 0.0.0.0/0
    - ::1/128
[...]