zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[HELP] Send client IP to proxy host

Open marchein opened this issue 11 months ago • 6 comments

What happened? I am running zoraxy as an LXC (IP of zoraxy: 10.0.11.6) on my proxmox host (10.0.11.3). If I connect to a proxied host like auth.domain.tld not my client IP is shown but the zoraxy ip... Currently I try to implement authelia and all clients are accessing from the zoraxy host so I cannot add ip based exceptions.

If my client has the ip 10.0.11.123, I would expect the proxied host to receive the request from 10.0.11.123, not 10.0.11.6.

Describe what have you tried I searched the github but found no such problem... I tried to toggle the Remove Hop-by-hop Headers option, but no dice.

Describe the networking setup you are using Here are some example, commonly asked questions from our maintainers:

  • Are you using the docker build of Zoraxy? no
  • Your Zoraxy version? 3.1.6
  • Are you using Cloudflare? no
  • Are your system hosted under a NAT router? no
  • DNS record (if any) My dns resolves zoraxy.domain.tld to 10.0.11.6

Additional context Example output of my authelia log: time="2025-02-06T15:14:39+01:00" level=debug msg="Checking the authentication backend for an updated profile for user" method=POST path=/api/verify remote_ip=10.0.11.6 username=marc

Thanks a lot for any help!

marchein avatar Feb 06 '25 14:02 marchein

Hey @marchein

If my client has the ip 10.0.11.123, I would expect the proxied host to receive the request from 10.0.11.123, not 10.0.11.6.

Showing the request coming from Zoraxy from your upstream is exactly what a HTTP reverse proxy is suppose to behave. It read the HTTP package, analysis its request and forward it to the correct upstream server. It is a HTTP reverse proxy after-all, not a TCP proxy.

However, if your goal is to get the client IP from an HTTP request sending to your upstream server from Zoraxy, you can try to read the X-Real-IP header or the full forwarded path in the X-Forwarded-For header.

Another solution would be adding additional sniffing logic in Zoraxy so when it sense the upstream server is an authelia server, it modify some headers and pretends the request was originated from your client (10.0.11.123 in your case). But I am not an expert in authelia, so you will need to help me by providing more information on how authelia detects request origin from HTTP headers.

tobychui avatar Feb 07 '25 12:02 tobychui

I think the problem is the order of the X-Forwarded-For header.

I got an output of octoprint running behind Zoraxy: Your server side Client IP was determined to be 10.0.11.6. Your X-Forwarded-For header (10.0.11.103,10.0.11.6) might have influenced that. Make sure that this is the IP that OctoPrint should be seeing. It will be the right most IP in the X-Forwarded-For header ...

So my client I accessed the ressource is 10.0.11.103, but zoraxy is 10.0.11.6. So maybe to fix my problems I need to swap the IPs in the X-Forwarded-For header. So it would be 10.0.11.6,10.0.11.103 instead of 10.0.11.103,10.0.11.6. How would this be possible?

marchein avatar Feb 26 '25 12:02 marchein

@marchein Wait, that doesn't sounds right.

As stated here and here , the correct sequence for appending to X-Forwarded-For is X-Forwarded-For: <client>, <proxy1>, <proxy2>

Zoraxy is the last proxy in your setup, so it appends its IP at the last index of the X-Forward-For header which is correct. You sure your octoprint is configured correctly?

tobychui avatar Feb 26 '25 13:02 tobychui

Well this is weird then. It is configured as default.

What seems even weirder to me is that it works fine if I use Nginx Proxy Manager instead of Zoraxy as my reverse proxy...

marchein avatar Feb 26 '25 14:02 marchein

@marchein Because by default nginx will not proxy anything unless you add it to config, while Zoraxy by default is add all the common sets of required headers to the request.

You can try removing the X-Forwarded-For header from the HTTP Proxy > Custom Headers setting and see if the error still persists. If yes, you can create an issue on the octoprint side and tag me so I can follow up this issue with the octoprint maintainer if needed.

tobychui avatar Feb 26 '25 23:02 tobychui

Same here, Authelia always receives the Zoraxy ip. I tried to remove X-Forwarded-For without success: in that case Authelia receives the destination ip of the host . May be we are wrong with the setup ? On my side Authelia & Zoraxy are running on the same server 192.168.4.211 I created a host authelia.mydomain.com to 127.0.0.1:9091 (the authelia listen port) In the SSO screen I set Authelia Server URL to authelia.mydomain.com I have another host test.mydomain.com to 192.168.4.10:80 using Authelia

When I try to connect to test.mydomain.com then I see Authelia receives the ip 192.168.4.211 (Zoraxy ip) Any change on X-Forwarded-For (even delete) in the setup of test.mydomain.com has no effect, still 192.168.4.211

When I delete the X-Forwarded-For header for authelia.mydomain.com then Authelia always receives 127.0.0.1 If I force X-Forwarded-For to X.X.X.X for authelia.mydomain.com then Authelia always receives X.X.X.X

Seems for me that the client IP is never transmitted to Authelia....

ekurgan avatar Mar 01 '25 17:03 ekurgan