search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
18.58k stars 1.43k forks source link

FR: add `X-Forwarded-For` to `userspace-networking` redirects to `localhost` #7848

Open DentonGentry opened 1 year ago

DentonGentry commented 1 year ago

What are you trying to do?

When operating in --tun=userspace-networking mode, tailscaled forwards incoming requests to the same port on localhost. The server sees the srcIP address as localhost. Adding an X-Forwarded-For header would let that server make decisions based on the originator.

This was done for tailscale serve in https://github.com/tailscale/tailscale/commit/3177ccabe5877aa46c47e1215784938fc46a6689

How should we solve this?

Add X-Forwarded-For for userspace-networking

What is the impact of not solving this?

Local servers don't know the original requestor.

Anything else?

No response

maisem commented 1 year ago

Local servers don't know the original requestor.

FWIW, WhoIs should return the correct answer. We do port tracking when running in netstack mode to allow looking up the peer.