From 54597bd575f177f631b30d2cdee1e2d54eb98328 Mon Sep 17 00:00:00 2001
From: Kendall Garner <17521368+kgarner7@users.noreply.github.com>
Date: Tue, 12 Dec 2023 11:06:27 +0000
Subject: [PATCH] Allow reverse proxy auth for unix socket (#2701)

---
 server/auth.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/auth.go b/server/auth.go
index 6442e7e407b..44cc94fdd31 100644
--- a/server/auth.go
+++ b/server/auth.go
@@ -193,7 +193,7 @@ func UsernameFromToken(r *http.Request) string {
 }
 
 func UsernameFromReverseProxyHeader(r *http.Request) string {
-	if conf.Server.ReverseProxyWhitelist == "" {
+	if conf.Server.ReverseProxyWhitelist == "" && !strings.HasPrefix(conf.Server.Address, "unix:") {
 		return ""
 	}
 	if !validateIPAgainstList(r.RemoteAddr, conf.Server.ReverseProxyWhitelist) {
@@ -316,6 +316,12 @@ func handleLoginFromHeaders(ds model.DataStore, r *http.Request) map[string]inte
 }
 
 func validateIPAgainstList(ip string, comaSeparatedList string) bool {
+	// Per https://github.com/golang/go/issues/49825, the remote address
+	// on a unix socket is '@'
+	if ip == "@" && strings.HasPrefix(conf.Server.Address, "unix:") {
+		return true
+	}
+
 	if comaSeparatedList == "" || ip == "" {
 		return false
 	}