PixelHir
commented
2 months ago Same issue over here, can successfully reproduce on a host networking container, with traefik as reverse proxy. (proxy is to https port, not http)
IP not censored as its iCloud private relay anyways
Prerequisites
[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to report a bug and not ask a question or ask for help
[X] I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)
Platform (OS and CPU architecture)
Linux, ARM64
Installation
Docker
Setup
Other (please mention in the description)
AdGuard Home version
v0.107.48
Action
AHD behind rev proxy. On failed login attempts, the logs show the reverse proxy's IP address instead of the real user's IP address. Successful login attempts, however, are logged with the correct real user IP.
Expected result
If the reverse proxy is trusted, the logs should always display the real user IP address, retrieved for example from the XFF header.
Actual result
Failed login attempts are logged with the reverse proxy's IP address, which is not useful for auditing purposes. In contrast, successful login attempts are logged with the correct user IP address even for untrusted proxies - this might be vulnerable to IP spoofing attacks, where malicious actors could forge the X-Forwarded-For header to hide their identity.
Additional information and/or screenshots