search

hassio-addons / addon-adguard-home

AdGuard Home - Home Assistant Community Add-ons
https://addons.community
MIT License
374 stars 47 forks source link

AdGuard not showing real client IP when using a reverse proxy (NPM/Nginx Addon) #467

Closed mxbchr closed 8 months ago

mxbchr commented 8 months ago

Problem/Motivation

If a DNS-over-HTTPS request comes from a reverse proxy such as NPM/Nginx Addon, AdGuard Home uses the provided proxy headers, such as X-Real-IP, to get the real IP address of the client. This does not work, since these are not added as trusted_proxies in the AdGuardHome.yaml by default. Showing the real IP is crucial for client identification.

As specified in: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration trusted_proxies (since v0.107.0) – The list of IP addresses and CIDR prefixes of trusted HTTP proxy servers. If a DNS-over-HTTPS request comes from one of these addresses or networks, AdGuard Home uses the provided proxy headers, such as X-Real-IP, to get the real IP address of the client. Requests from HTTP proxies outside of these networks are considered to be requests from the proxy itself. That is, the proxy headers are ignored.

Expected behavior

AdGuard should show the real client IP.

Actual behavior

AdGuard shows the NPM/Nginx Addon Docker Container IP

Steps to reproduce

Setup AdGuard and use NPM/Nginx Addon as a reverse Proxy for DoH requests.

Proposed changes

Add NPM/Nginx Addon as Trusted Proxies by default /

Add the 172.30.33.0/24 network to cover requests coming from official NPM/Nginx Addon as Trusted Proxies by default and also update existing installations somehow.

In the end the trusted proxies section in the AdGuardHome.yaml should look like this:

  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
    - 172.30.33.0/24