Overriding trusted proxy CIDRs does not work

[Samppady]

I couldn’t open case #9720, so I had to make a new issue.

Describe the bug
Overriding trusted proxy CIDRs via the configuration flag AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS does not work.

To Reproduce
Steps to reproduce the behavior:

1. Configure trusted proxy CIDRs in AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS with the syntax AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=127.0.0.0/8,::1/128
2. Restart Authentik
3. Configured trusted proxies does not work (i.e. Authentik does not trust headers from the configured CIDRs).

Expected behavior
Authentik should configure it's trusted proxy CIDR list based on the configured values in AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS.

Same problem: #7712 and #9720

Additional context
Current workaround (described in #6749) is to mount a custom defaults.yaml file with the CIDRs added (which is confirmed to be working).

Last tested version: 2024.4.1
Deployment: docker-compose

--
The format you're using is wrong. Quoting from https://docs.goauthentik.io/docs/installation/configuration#listen-settings

List of comma-separated CIDRs that proxy headers should be accepted from

So AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=127.0.0.0/8,::1/128

Originally posted by @rissson in #9720 (comment)

---

I did try .env file:
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fe80::/10,::1/128,192.168.0.0/24

Result:
trusted_proxy_cidrs:

• 127.0.0.0/8
• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• fe80::/10
• ::1/128

Or docker-compose.yml

server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
container_name: authentik_server
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fe80::/10,::1/128,192.168.0.0/24

Result:
trusted_proxy_cidrs:

• 127.0.0.0/8
• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16
• fe80::/10
• ::1/128

[rissson]

On 2024.4.2, I have AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS=172.28.128.0/22,2001:67c:17fc:110::/60 set, and I can see in the logs that my IP is indeed correct:

{"event":"/static/dist/user/UserInterface.js?version=2024.4.2","host":"auth.lama-corp.space","level":"info","logger":"authentik.router","method":"GET","remote":"2a01:cb10:935:3107:cc16:c058:7c1c:eaca","runtime":"9.622","scheme":"http","size":490512,"status":200,"timestamp":"2024-05-14T21:30:03Z","user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0"}

Perhaps you could share some of the details of your setup, especially regarding your reverse proxy and how it accesses authentik.

[rissson]

Also, I notice that you have both 192.168.0.0/16 and 192.168.0.0/24 in your list. The first one is enough.

[Samppady]

Weird, if i don't add client IP not show up right.
Current Session IP.

[Samppady]

Also, I notice that you have both 192.168.0.0/16 and 192.168.0.0/24 in your list. The first one is enough.

I upgraded to 2024.4.2 and removed AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS from the .env file.
Now, the client IP is displayed correctly. I’m not sure what fixed the proxy_cidrs problem.

thanks for help.