starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

support Proxy to get ip from a http Header instead from source IP (127.0.0.1) #70

New Issue
Closed
opened 2025-12-29 01:21:37 +01:00 by adam · 8 comments
adam commented 2025-12-29 01:21:37 +01:00
Owner
Copy Link

Originally created by @JensKuehnel on GitHub (Nov 7, 2021).

Hi,
I'm running headscale on a server that is servicing https via a caddy server. It works perfectly (Thanks for that).
The only minor problem are the logfiles. Because I'm using a Reverse-proxy in front, the logfile look like this:

Nov 07 23:05:04 MYHOST headscale[3132606]: [GIN] 2021/11/07 - 23:05:04 | 200 |  1.003830109s |       127.0.0.1 | POST     "/machine/MYID/map"

Could a new parameter be added to take the log file from a http-header instead of the source IP?

Sorry, I can't write go, or I would add it myself.

Originally created by @JensKuehnel on GitHub (Nov 7, 2021). Hi, I'm running headscale on a server that is servicing https via a caddy server. It works perfectly (Thanks for that). The only minor problem are the logfiles. Because I'm using a Reverse-proxy in front, the logfile look like this: ``` Nov 07 23:05:04 MYHOST headscale[3132606]: [GIN] 2021/11/07 - 23:05:04 | 200 | 1.003830109s | 127.0.0.1 | POST "/machine/MYID/map" ``` Could a new parameter be added to take the log file from a http-header instead of the source IP? Sorry, I can't write go, or I would add it myself.
adam added the enhancementhelp wantedgood first issue labels 2025-12-29 01:21:37 +01:00
adam closed this issue 2025-12-29 01:21:38 +01:00
adam commented 2025-12-29 01:21:38 +01:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub (Nov 9, 2021):

The most complicated part of solving this issue is that it requires creating a new config option.

Caddy is already setting X-Forwarded-For headers. However, for security reasons Gin does not look into that automatically. Instead, you need to set r.SetTrustedProxies([]string{"IP or CIDR"}) (docs). In headscale, it would be around here:

74f0d08f50/app.go (L407)

However because the proxy's IP or CIDR depends on your environment, it needs to be something that is set in a config file.

Also note that the config should allow setting Gin's TrustedPlatform flag if the app is running on platforms like Google App Engine, Cloudflare, etc.

@ItalyPaleAle commented on GitHub (Nov 9, 2021): The most complicated part of solving this issue is that it requires creating a new config option. Caddy is already setting X-Forwarded-For headers. However, for security reasons Gin does not look into that automatically. Instead, you need to set `r.SetTrustedProxies([]string{"IP or CIDR"})` ([docs](https://github.com/gin-gonic/gin#dont-trust-all-proxies)). In headscale, it would be around here: https://github.com/juanfont/headscale/blob/74f0d08f507ba6dd25ea69cf4faa38093e46be07/app.go#L407 However because the proxy's IP or CIDR depends on your environment, it needs to be something that is set in a config file. Also note that the config should allow setting Gin's `TrustedPlatform` flag if the app is running on platforms like Google App Engine, Cloudflare, etc.
adam commented 2025-12-29 01:21:38 +01:00
Author
Owner
Copy Link

@mannp commented on GitHub (Nov 9, 2021):

I also have the same issue using traefik 2 as proxy, I only ever see the proxy address instead of the remote client address.

@ItalyPaleAle those options are used commonly in other projects, so doesn't it seem sensible to have to set them here too when using a proxy?

@mannp commented on GitHub (Nov 9, 2021): I also have the same issue using traefik 2 as proxy, I only ever see the proxy address instead of the remote client address. @ItalyPaleAle those options are used commonly in other projects, so doesn't it seem sensible to have to set them here too when using a proxy?
adam commented 2025-12-29 01:21:39 +01:00
Author
Owner
Copy Link

@ItalyPaleAle commented on GitHub (Nov 9, 2021):

For security reasons (and for the fact that certain CDNs require looking at different headers) I would not recommend enabling trusted proxies with 0.0.0.0/0 by default. Should really be a config option IMHO. Otherwise if someone is NOT running the app behind a proxy, a malicious actor could send requests with the X-Forwarded-For header to fake the IP.

@ItalyPaleAle commented on GitHub (Nov 9, 2021): For security reasons (and for the fact that certain CDNs require looking at different headers) I would not recommend enabling trusted proxies with 0.0.0.0/0 by default. Should really be a config option IMHO. Otherwise if someone is NOT running the app behind a proxy, a malicious actor could send requests with the `X-Forwarded-For` header to fake the IP.
adam commented 2025-12-29 01:21:39 +01:00
Author
Owner
Copy Link

@mannp commented on GitHub (Nov 9, 2021):

That was my point, we should have to set them and yes likely 0.0.0.0/0 shouldn't be default, as it would be expected the proxy would be set to one specific IP or a range in the case of Cloudflare.

@mannp commented on GitHub (Nov 9, 2021): That was my point, we should have to set them and yes likely 0.0.0.0/0 shouldn't be default, as it would be expected the proxy would be set to one specific IP or a range in the case of Cloudflare.
adam commented 2025-12-29 01:21:41 +01:00
Author
Owner
Copy Link

@Akruidenberg commented on GitHub (Oct 31, 2022):

Is there a temporary workaround for this? Is the alpine docker image a fix?

@Akruidenberg commented on GitHub (Oct 31, 2022): Is there a temporary workaround for this? Is the alpine docker image a fix?
adam commented 2025-12-29 01:21:42 +01:00
Author
Owner
Copy Link

@mhameed commented on GitHub (Nov 20, 2022):

Adding link for reference for the haproxy proxy protocol, which seems to be relatively widely adopted:
https://www.haproxy.org/download/2.7/doc/proxy-protocol.txt

@mhameed commented on GitHub (Nov 20, 2022): Adding link for reference for the haproxy proxy protocol, which seems to be relatively widely adopted: https://www.haproxy.org/download/2.7/doc/proxy-protocol.txt
adam commented 2025-12-29 01:21:42 +01:00
Author
Owner
Copy Link

@juanfont commented on GitHub (May 10, 2023):

I reckon this is now

@juanfont commented on GitHub (May 10, 2023): I reckon this is now
adam commented 2025-12-29 01:21:43 +01:00
Author
Owner
Copy Link

@vutsalsinghal commented on GitHub (Mar 12, 2025):

guys, how do I fix this for nginx? I have headscale clients connecting to jellyfin via nginx but in the nginx logs, the client IP is always 127.0.0.1.

@vutsalsinghal commented on GitHub (Mar 12, 2025): guys, how do I fix this for nginx? I have headscale clients connecting to jellyfin via nginx but in the nginx logs, the client IP is always 127.0.0.1.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label enhancement good first issue help wanted
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#70
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?