If a DNS-over-HTTPS request comes from a reverse proxy such as NPM/Nginx Addon, AdGuard Home uses the provided proxy headers, such as X-Real-IP, to get the real IP address of the client. This does not work, since these are not added as trusted_proxies in the AdGuardHome.yaml by default. Showing the real IP is crucial for client identification.
As specified in: https://github.com/AdguardTeam/AdGuardHome/wiki/Configurationtrusted_proxies (since v0.107.0) – The list of IP addresses and CIDR prefixes of trusted HTTP proxy servers. If a DNS-over-HTTPS request comes from one of these addresses or networks, AdGuard Home uses the provided proxy headers, such as X-Real-IP, to get the real IP address of the client. Requests from HTTP proxies outside of these networks are considered to be requests from the proxy itself. That is, the proxy headers are ignored.
Expected behavior
AdGuard should show the real client IP.
Actual behavior
AdGuard shows the NPM/Nginx Addon Docker Container IP
Steps to reproduce
Setup AdGuard and use NPM/Nginx Addon as a reverse Proxy for DoH requests.
Proposed changes
Add NPM/Nginx Addon as Trusted Proxies by default /
Add the 172.30.33.0/24 network to cover requests coming from official NPM/Nginx Addon as Trusted Proxies by default and also update existing installations somehow.
In the end the trusted proxies section in the AdGuardHome.yaml should look like this:
Problem/Motivation
If a DNS-over-HTTPS request comes from a reverse proxy such as NPM/Nginx Addon, AdGuard Home uses the provided proxy headers, such as X-Real-IP, to get the real IP address of the client. This does not work, since these are not added as trusted_proxies in the AdGuardHome.yaml by default. Showing the real IP is crucial for client identification.
As specified in: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration
trusted_proxies (since v0.107.0) – The list of IP addresses and CIDR prefixes of trusted HTTP proxy servers. If a DNS-over-HTTPS request comes from one of these addresses or networks, AdGuard Home uses the provided proxy headers, such as X-Real-IP, to get the real IP address of the client. Requests from HTTP proxies outside of these networks are considered to be requests from the proxy itself. That is, the proxy headers are ignored.
Expected behavior
AdGuard should show the real client IP.
Actual behavior
AdGuard shows the NPM/Nginx Addon Docker Container IP
Steps to reproduce
Setup AdGuard and use NPM/Nginx Addon as a reverse Proxy for DoH requests.
Proposed changes
Add NPM/Nginx Addon as Trusted Proxies by default /
Add the 172.30.33.0/24 network to cover requests coming from official NPM/Nginx Addon as Trusted Proxies by default and also update existing installations somehow.
In the end the trusted proxies section in the AdGuardHome.yaml should look like this: