Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Overriding trusted proxy CIDRs does not work #9720

Closed
Samppady opened this issue May 14, 2024 · 2 comments
Closed

Overriding trusted proxy CIDRs does not work #9720

Samppady opened this issue May 14, 2024 · 2 comments
Labels
duplicate This issue or pull request already exists

Comments

@Samppady
Copy link

Describe the bug
Overriding trusted proxy CIDRs via the configuration flag AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS does not work.

To Reproduce
Steps to reproduce the behavior:

  1. Configure trusted proxy CIDRs in AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS with the syntax AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS='["127.0.0.0/8","::1/128"]'.
  2. Restart Authentik
  3. Configured trusted proxies does not work (i.e. Authentik does not trust headers from the configured CIDRs).

Expected behavior
Authentik should configure it's trusted proxy CIDR list based on the configured values in AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS.

Same problem #7712

Additional context
Current workaround (described in #6749) is to mount a custom defaults.yaml file with the CIDRs added (which is confirmed to be working).

Last tested version: 2024.4.1
Deployment: docker-compose

@Samppady Samppady added the bug Something isn't working label May 14, 2024
@rissson
Copy link
Member

rissson commented May 14, 2024

The format you're using is wrong. Quoting from https://docs.goauthentik.io/docs/installation/configuration#listen-settings

List of comma-separated CIDRs that proxy headers should be accepted from

So AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=127.0.0.0/8,::1/128

@rissson rissson closed this as completed May 14, 2024
@rissson rissson added duplicate This issue or pull request already exists and removed bug Something isn't working labels May 14, 2024
@Samppady
Copy link
Author

Samppady commented May 14, 2024

The format you're using is wrong. Quoting from https://docs.goauthentik.io/docs/installation/configuration#listen-settings

List of comma-separated CIDRs that proxy headers should be accepted from

So AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=127.0.0.0/8,::1/128

I did try .env file:
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fe80::/10,::1/128,192.168.0.0/24

Result:
trusted_proxy_cidrs:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- fe80::/10
- ::1/128

Or docker-compose.yml

server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
container_name: authentik_server
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fe80::/10,::1/128,192.168.0.0/24

Result:
trusted_proxy_cidrs:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- fe80::/10
- ::1/128

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
duplicate This issue or pull request already exists
Projects
None yet
Development

No branches or pull requests

2 participants